Cybersecurity is a critically important concern for businesses of all sizes and in all sectors of the economy. The growth of various electronic data systems, not to mention the internet, has brought almost countless new risks from hackers and others, who use new technologies to perpetrate traditional crimes like theft. Businesses that collect and maintain consumers’ personal information must be particularly careful, since cybersecurity breaches can affect their customers’ financial interests as well as their own. The New York State Department of Financial Services (DFS) announced new proposed cybersecurity regulations several months ago for businesses in the financial sector. The proposed regulations, which are reportedly the first of their kind in the country, would require covered businesses to undertake extensive measures to safeguard their data.
New York law currently requires state agencies and private businesses to notify the state’s attorney general of any cybersecurity breaches that result in the release of “private information” to unauthorized persons. “Private information” includes information that may be used to identify a particular individual and that includes details like a Social Security number, a driver’s license or other identification number, or information that could enable access to a credit card or another financial account. N.Y. State Tech. L. § 208, N.Y. Gen. Bus. L. § 899-AA. State law does not currently impose affirmative obligations on businesses to protect private information or to guard against cybersecurity breaches.
The governor announced the proposed DFS regulation in mid-September 2016. The regulation, which will be codified in Title 23 of the New York Codes, Rules, and Regulations (NYCRR), applies to any business or organization under the jurisdiction of the New York Banking Law, Insurance Law, or Financial Services Law. 23 NYCRR § 500.01(c) (proposed). It requires “covered entities” to perform a risk assessment on a periodic basis, initially to identify cybersecurity needs and vulnerabilities, and subsequently “to respond to technological developments and evolving threats.” Id. at § 500.09.