New York is First State to Adopt Comprehensive Cybersecurity Regulations
In 2017, New York became the first state to establish comprehensive cybersecurity regulations. Though these regulations are not binding on Illinois companies, they certainly could be a harbinger of things to come as the recent Equifax and Uber fiascos may prompt a greater legislative and regulatory push around the country. Indeed, this is not the first time that New York has led with nationwide safety measures. Back in 1984, New York became the first state in the country to mandate seatbelt laws, which were soon adopted by other states. A lesson to learn from New York’s example is that there are advantages to being the first – and early adoption of cybersecurity precautions may allow Illinois businesses to get a leg up on their competition by demonstrating to their clients a proactive approach in this area.
The sweeping New York regulation basically expands the scope of entities covered in the regulation to include any organization licensed or registered in the State of New York governed by its banking laws, its insurance laws, or the financial services laws. Exceptions to the new rule are carved out with companies having less than 10 employees (including any independent contractor) or those companies with less than $5,000,000 in gross annual revenue (or less than $10,000,000 in year-end total assets).
Notable among the new requirements under the New York regulation is that all covered entities are responsible for retaining a “chief information security officer” (CISO) to implement and oversee the company’s cybersecurity program. This individual is responsible for maintaining compliance with the regulation for the company. The individual could be an employee or outside contractor.
Another important aspect of the New York regulation is the requirement that all organizations must implement a cybersecurity policy that addresses the following areas to the extent applicable to the organization.
(a) information security;
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management;
(m) risk assessment; and
(n) incident response.
The New York statute also contains many requirements which parallel the Federal Gramm-Leach-Bliley Act (GLBA) which also governs financial entities. For example, all covered organizations are responsible for conducting, monitoring and testing of their program to “include continuous monitoring or periodic penetration testing and vulnerability assessments.” The testing is further elaborated to require annual penetration testing of the covered entity’s information system and bi-annual vulnerability assessments. Similarly, consistent with GLBA, there is a requirement for all organizations to use multi-factor authentication or the equivalent to protect against unauthorized access through non-public information or information systems.
In addition, the New York regulation requires entities to:
Install a vendor risk management program, policies and procedures;
Destroy nonpublic information periodically and securely;
Establish a written incident-response plan;
Provide regular cyber security awareness training; and
Provide notice to the New York department of financial services of any breach within 72 hours.
The New York regulations are one state’s efforts to consolidate cybersecurity efforts, prevent costly incidents from occurring and to speed up resolution of those events that do. Though a company’s cybersecurity plan must be carefully tailored to the need of the organization, there is no question that the New York rules demonstrate potential guidance to Illinois corporations in shaping their cybersecurity plan.