New York Data Breach Requirements Set Reporting Tone Nationally

Cybersecurity regulations can be a constantly moving target, with digital advances and sophisticated threat actors appearing at every turn. New York State’s Department of Financial Services made significant moves last November toward boosting the state’s regulatory framework around these distinct challenges.

With the approach of the new regulations’ first anniversary—marking the effective date for several of the most important new compliance requirements—companies should stay vigilant as cyberattacks and security breaches become an increasing concern.

NYDFS regulates more than 3,000 financial institutions with assets totaling more than $9.7 trillion including insurance companies, health insurers and managed care organizations, banking and other financial institutions, and virtual currency companies, among others.

The latest regulations from 2023 update a 2017 version of the NYDFS cybersecurity regulation to create more rigorous reporting, incident response, and governance standards. Also, a new category was included for large Class A firms. The requirements under the amendment are being phased in.

According to the Director of National Intelligence, ransomware data attacks increased globally by 74% in 2023 compared to 2022. Responding to a data breach can be costly.

IBM’s 2024 report said the average cost of a data breach jumped to $4.88 million from $4.45 million in 2023, a 10% spike and the highest increase since the pandemic.

If your organization is targeted, determine whether to notify government or regulatory agencies such as NYDFS, state attorneys general, the Securities and Exchange Commission, the Federal Trade Commission, or the Department of Health Human Services Office for Civil Rights.

If your entity is regulated by NYDFS, notification is required if the event is determined to have “a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity,” or if ransomware was deployed “within a material part” of the information systems.

You may also need to notify affected individuals about the incident. All states require notifications of residents whose personally identifiable information was accessed or acquired.

Notifications

Use the DFS portal and website form, and save a copy of the confirmation email and receipt number. Companies should explore the possibility that additional notifications could be required by statutory, regulatory, or contractual requirements.

Statutes such as the NY Shield Act, General Business Law Section 899-aa, and other state-level statutes and regulators could all come into play. Also, consider individual notifications and review contractual obligations.

Timing

The timing of the notification may be critical as different deadlines may apply. NYDFS requires notification “as soon as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred.”

Other regulators—such as California—don’t specify the time period but require notification “in the most expedient time possible and without unreasonable delay.” Other states require notification within 30 or 60 days. If you must notify multiple regulators, you must manage the different deadlines.

In May, the SEC hit the New York Stock Exchange’s parent company, Intercontinental Exchange, with a $10 million penalty for waiting five days to notify of a breach. NYDFS has imposed similar fines, reminding us that regulators are monitoring the timing of the notification and extent of forensic understanding of a given incident.

New York now requires notification of ransomware attacks within 72 hours. If an extortion payment was made, notification must happen within 24 hours of the extortion payment. Within 30 days, “a written description of the reasons payment was necessary” is required. Other rules for ransomware payments, such as from the Office of Foreign Assets Control, may also apply.

Sharing the news of a cyber breach that reveals personal information may not be a pleasant task but is vital. Consider 23andMe’s handling of a recent breach, which affected 6.9 million user profiles; the organization reported the attack in October 2023 but didn’t reveal its full extent until December 2023, and also failed to inform certain users that their data was specifically targeted. The company settled a $30 million class-action lawsuit.

The importance of notifications and updates geared to both customers and employees, paired with a well thought-out public relations strategy, can’t be understated.

In addition to its $1 million fine against a title company in late 2023, NYDFS has assessed multi-million dollar fines against many regulated entities. As a result, the federal government and several states have already taken cues from NYDFS. With the SEC and Department Of Justice eager to tighten up cybersecurity compliance, New York’s latest amendments will likely serve as a template for governance decisions around the country.

Brian Montgomery is partner at Pillsbury and a former NYDFS deputy superintendent.

Mark Krotoski is partner at Pillsbury and former national coordinator for the Computer Hacking and Intellectual Property Program at Department of Justice.

Write for Us: Author Guidelines