Cybersecurity rule ideas, so far, have been piecemeal throughout the United States despite the numerous efforts. Opposite to the European Union’s efforts through their General Data Protection Regulation (GDPR) initiative, in the U.S. we have no such thing. We do have bolstering amendments to Gramm-Leach-Bliley Act, embodied in the Consumer Data Security and Notification Act of 2015 that seek to require financial institutions to notify of the data breach incident. While the term industries has expanded to encompass all entities that have handling operational responsibilities with consumer financial information, Congress responded to California’s promulgation of the California Notice of Security Breach Act, by itself proposing the Information Protection and Security Act. The race is on to set provisions with teeth that cut through the obstacles in cybersecurity and data management and be responsive to consumer protection needs.
Needless to say, companies have been required to address cybersecurity and the management of data, especially personal identifying information (PII). There is also a growing concern with the occurrence of corporate spying and the impetus that led to the Spy Act, i.e., Securely Protect Yourself Against Cyber Trespass Act. Though not a success, since 2011, initiatives have addressed legislative reforms to meet the concerns with information sharing, data management, cloud transfers, especially with the E.U. and the entities conducting business in the E.U. But the matter of setting a cyber security regulation has now been placed center-stage by the State of New York. In a press release, New York’s Department of Financial Services (DFS), announced its Rule to “protect consumer data and financial systems from terrorist organizations and other criminal enterprises.” The rule took effect March 1, 2017. The release noted that the provision “will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”
The scope of its coverage hits all the points, including responsible connection along the lines of contracts by defining affiliates, penetration testing, persons, public available information, and as well the recurring monitoring obligation via risk assessments, authentications, and setting programs for advisory roles. More so it provides for its scope over authorized users and covered entities. The “authorized user” is deemed to be an employee, contractors, or agent with authorized access to the information systems of the covered entity. Its structure is labeled aptly with a girding focus on providing for a cybersecurity program, policy, chief information security officer, penetration testing, vulnerability assessments, results audits and screening, application security, personnel qualifications and clearances, vendor cybersecurity policies, and response plans. The requirements also delve into the encryption, multi-factor authentication, training, monitoring, notifications, post incident assessments, pre-incident security integrity audits and post-incident audits, and the expected implementation and enforcement.
While the rule takes effect, many entities will face compliance concerns with their policies and contracts. The example being set by New York’s DFS will probably catch the eye of Washington and set an example for other states, especially as the EU gets closer to enforce its GDPR. All concerns with cyber-attacks and cyber incidents are arising and it seems the lawmakers are seeing the need. The general hope is that the initiative catches the attention of managers and heads of covered entities and those in the fringes for the sake of cyber peace of mind and consumer protection at large. It may even wake up other states too.