On Sept. 28, 2016, proposed cybersecurity regulations promulgated by the New York Department of Financial Services (NYDFS) were published in the New York State Register (the NY Cybersecurity Regulations). A press release from New York Governor Andrew Cuomo said that these “new first-in-the-nation” regulations would require banks, insurance companies and other financial services institutions to maintain a cybersecurity program designed to protect consumers.
The proposed regulations have yet to take effect and, as of the writing of this article, remain subject to a 45-day comment period. Assuming no further changes to the language of the NY Cybersecurity Regulations, the new rules will go into effect on January 1, 2017.
Existing Laws, Regulations and Guidance
Gramm-Leach-Bliley: Interagency Guidelines
Governor Cuomo’s pride in the Empire State, while understandable, is misplaced in this case. There are in fact existing laws and regulations of long-standing that impose information security obligations on financial institutions. Most notably, the Gramm-Leach-Bliley Act, a federal law enacted in 1999 (GLBA), requires financial institutions to protect the security and confidentiality of their customers’ nonpublic personal information. Under the authority of GLBA, various financial regulators — such as the Office of the Comptroller of the Currency (OCC), the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC) — promulgated the Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) which became effective on February 1, 2001.
The Interagency Guidelines apply to financial institutions such as bank holding companies, national banks, state banks that are members of the Federal Reserve System, savings associations and FDIC insured depository institutions. The Interagency Guidelines require covered financial institutions to maintain a written information security program that includes appropriate administrative, technical and physical safeguards for both the protection of customer information and the destruction of customer information and consumer information (whether such information is in paper, electronic or other form).
Generally speaking, the Interagency Guidelines set forth a flexible, risk-based approach that allows a covered financial institution to determine the security measures that are appropriate for it. The Interagency Guidelines also note that covered financial institutions should have a response program to address incidents of unauthorized access to customer information. As part of such a response program, a covered financial institution should have procedures for assessing incidents of unauthorized data access and notifying regulators, law enforcement and impacted customers regarding such incidents (where appropriate).
Other Regimes Under GLBA
The Interagency Guidelines are not the only GLBA based information security rules. The National Credit Union Association (NCUA) separately adopted Guidelines for Safeguarding Member Information (NCUA Guidelines) under the authority of GLBA prior to the promulgation of the Interagency Guidelines. The NCUA Guidelines apply to federally-insured credit unions. There are no meaningful substantive differences between the NCUA Guidelines and the Interagency Guidelines.
GLBA’s data security requirements also apply to broker-dealers and investment advisors regulated by the Securities and Exchange Commission (SEC), as well as entities regulated by the Federal Trade Commission (FTC) that are substantially engaged in financial service activities. Both the SEC and the FTC have promulgated their own separate data safeguard rules under the authority of GLBA.
FFIEC Examination Handbook
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body consisting of the Federal Reserve, the FDIC, the NCUA, the OCC, the State Liaison Committee and the Consumer Financial Protection Bureau. From time to time, the FFIEC publishes guidance for use by bank examiners of financial regulators. On September 9, 2016, the FFIEC published an updated version of its Information Technology Examination Handbook : Information Security (FFIEC Information Security Booklet). The FFIEC Information Security Booklet, while not having the force of law or regulation, still provides valuable insight into how regulators measure a financial institution’s compliance with the requirements of GLBA and the Interagency Guidelines.
Other State Laws
In addition to GLBA (and the related regulations and regulatory guidance), there are other existing state laws imposing data security obligations on persons and entities (including financial institutions). Some notable examples include:
• a California law requiring businesses that own, license or maintain personal information to implement and maintain reasonable security procedures;
• Massachusetts regulations which require persons or entities owning or licensing personal information to maintain a comprehensive written information security program setting forth administrative, technical and physical safeguards (and if any personal information is electronically stored, the information security program must cover computers and wireless systems); and
• a Connecticut statute which requires any person that conducts business in Connecticut and who possesses another’s personal information to safeguard the data, computer files and documents containing such personal information and to ensure that such data is erased, destroyed or rendered unreadable prior to destruction.
New York’s Cybersecurity Regulation
Governor Cuomo’s claims notwithstanding, it is clear that the NY Cybersecurity Regulations will not be the first regulatory scheme addressing financial institutions’ information security obligations. So, are the NY Cybersecurity Regulations largely duplicative of existing legal requirements and therefore are, at best, unnecessary? Yes … and no.
Below is a brief summary of where the proposed New York regulations are consistent with — and where they differ from — existing laws, regulations and regulatory guidance.
The proposed regulations will cover any person or entity “operating under or required to operate under a license, registration … or similar authorization under” New York’s banking, insurance or financial services laws (Covered Entities). Note that national banks, banks chartered in other states, Federal credit unions and broker-dealers (among others) would not be Covered Entities.
Scope of Proposal
The NY Cybersecurity Regulations will cover:
• Information Systems — which include electronic information resources organized for the collection, processing, use and dissemination of electronic information; and
• Nonpublic Information in electronic form.
Given that its coverage is limited to electronic information (and electronic information processing systems), the NY Cybersecurity Regulations are actually less extensive (in some respects) than GLBA and the Interagency Guidelines (which extend their coverage to information in paper, electronic or other form).
However, GLBA and the Interagency Guidelines limit their coverage to customer information and consumer information (e.g., credit reports and information derived from credit reports). The NY Cybersecurity Regulations define Nonpublic Information to include non-publicly available:
• business information of a Covered Entity (if its unauthorized disclosure would have a material adverse impact on the entity);
• customer (and prospective customer) information;
• information related to the health or health care of individuals;
• can be used to identify an individual (e.g., name & government id); or
• information that is linked or linkable to an individual (e.g., employment related information).