New York Department of Financial Services Cybersecurity Regulation Adds Breach Notification Obligation for Financial Institutions
Effective March 1, 2017, 23 NYCRR 500, a new cybersecurity regulation from the New York Department of Financial Services (NYDFS), added a cybersecurity event notification obligation that could be triggered by a breach under the state’s general breach notification statute.
Along with numerous new obligations in 23 NYCRR 500 related to cybersecurity policies, penetration testing, vulnerability assessments, audit trails, encryption, and third party service providers, you will find the following under Section 500.17:
Notices to Superintendent
(a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event as follows has occurred:
(1) Cybersecurity Events of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; and
(2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.
As defined in 23 NYCRR 500.01(d), a cybersecurity event means, “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”
If an incident involving data regulated under § 899-aa of the New York General Business Law meets both the definition of a breach under that statute as well as the definition of a cybersecurity event under 23 NYCRR 500, an entity may be required to notify all of the following:
899-aa
- Affected individuals
- New York State Attorney General’s Office -- Consumer Frauds & Protection Bureau
- New York State Division of State Police -- New York State Intelligence Center
- New York State Department of State -- Division of Consumer Protection
- Credit reporting agencies
23 NYCRR 500
- Superintendent of the New York Department of Financial Services
Banks, insurance companies, and other financial services institutions are already subject to complex notification obligations under federal law as well as the NYDFS, but now they will also need to be aware that a breach notification under the state’s general breach notification statute may trigger an additional necessary notification under this new cybersecurity regulation.
This post was originally published on the RADAR blog.
Additional reading:
- New York Department of Financial Services Cybersecurity Rules Revised and Delayed, Hogan Lovells
- New York Department of Financial Services Revises Cybersecurity Proposal: Greater Flexibility and Delayed Compliance Deadlines, Proskauer Privacy Law Blog
- New York Revamps Proposed Cybersecurity Regulation for Financial Services and Insurance Entities, National Law Review