Bussiness
New York Data Breach Requirements Set Reporting Tone Nationally
Cybersecurity regulations can be a constantly moving target, with digital advances and sophisticated threat actors appearing at every turn. New York State’s Department of Financial Services made significant moves last November toward boosting the state’s regulatory framework around these distinct challenges.
With the approach of the new regulations’ first anniversary—marking the effective date for several of the most important new compliance requirements—companies should stay vigilant as cyberattacks and security breaches become an increasing concern.
NYDFS regulates more than 3,000 financial institutions with assets totaling more than $9.7 trillion including insurance companies, health insurers and managed care organizations, banking and other financial institutions, and virtual currency companies, among others.
The latest regulations from 2023 update a 2017 version of the NYDFS cybersecurity regulation to create more rigorous reporting, incident response, and governance standards. Also, a new category was included for large Class A firms. The requirements under the amendment are being phased in.
Is your business ready to manage cybersecurity events including ransomware attacks? Key steps can guide your response plan under New York’s new requirements.
First Steps
According to the Director of National Intelligence, ransomware data attacks increased globally by 74% in 2023 compared to 2022. Responding to a data breach can be costly.
IBM’s 2024 report said the average cost of a data breach jumped to $4.88 million from $4.45 million in 2023, a 10% spike and the highest increase since the pandemic.
If your organization is targeted, determine whether to notify government or regulatory agencies such as NYDFS, state attorneys general, the Securities and Exchange Commission, the Federal Trade Commission, or the Department of Health Human Services Office for Civil Rights.
If your entity is regulated by NYDFS, notification is required if the event is determined to have “a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity,” or if ransomware was deployed “within a material part” of the information systems.
You may also need to notify affected individuals about the incident. All states require notifications of residents whose personally identifiable information was accessed or acquired.
Notifications
Use the DFS portal and website form, and save a copy of the confirmation email and receipt number. Companies should explore the possibility that additional notifications could be required by statutory, regulatory, or contractual requirements.
Statutes such as the NY Shield Act, General Business Law Section 899-aa, and other state-level statutes and regulators could all come into play. Also, consider individual notifications and review contractual obligations.
Timing
The timing of the notification may be critical as different deadlines may apply. NYDFS requires notification “as soon as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred.”
Other regulators—such as California—don’t specify the time period but require notification “in the most expedient time possible and without unreasonable delay.” Other states require notification within 30 or 60 days. If you must notify multiple regulators, you must manage the different deadlines.
In May, the SEC hit the New York Stock Exchange’s parent company, Intercontinental Exchange, with a $10 million penalty for waiting five days to notify of a breach. NYDFS has imposed similar fines, reminding us that regulators are monitoring the timing of the notification and extent of forensic understanding of a given incident.
New York now requires notification of ransomware attacks within 72 hours. If an extortion payment was made, notification must happen within 24 hours of the extortion payment. Within 30 days, “a written description of the reasons payment was necessary” is required. Other rules for ransomware payments, such as from the Office of Foreign Assets Control, may also apply.
Conduct forensic analysis to assess the scope of the incident, which information systems were accessed, what information was acquired or impacted, and whether the incident is contained. Note when the determination of a cybersecurity incident was made, as this point in time triggers the notification clock.
Security
Restoring security is paramount. Depending on the type of incident, your company may need to take steps such as disabling user accounts, installing patches, and changing passwords. Entities must implement a written incident response, as well as business continuity and disaster recovery plans. It’s vital to analyze the root cause of the occurrence.
Legal Protections
Ensure legal protections are in place so you can obtain the legal guidance needed based on the circumstances concerning the cyber investigation, notification, regulatory inquiries, and potential litigation. The attorney-client privilege protects confidentiality of communications with counsel to obtain legal advice. The work-product doctrine protects mental impressions, conclusions, opinions, and legal theories in anticipation of litigation.
Many companies learn after an incident that they don’t have adequate insurance. Applicable policies might include cybersecurity, crime, or similar plans.
If you’re unsure about the scope of coverage, seek legal guidance on the scope of coverage and insurance notification now—before a significant incident occurs.
Providers and Affiliates
Since the 2023 amendment to the NYDFS cybersecurity regulation, notification requirements now extend to cybersecurity incidents at affiliates and third-party service providers. Companies will need to gauge whether the cybersecurity incident impacted these additional entities.
Messaging
Sharing the news of a cyber breach that reveals personal information may not be a pleasant task but is vital. Consider 23andMe’s handling of a recent breach, which affected 6.9 million user profiles; the organization reported the attack in October 2023 but didn’t reveal its full extent until December 2023, and also failed to inform certain users that their data was specifically targeted. The company settled a $30 million class-action lawsuit.
The importance of notifications and updates geared to both customers and employees, paired with a well thought-out public relations strategy, can’t be understated.
In addition to its $1 million fine against a title company in late 2023, NYDFS has assessed multi-million dollar fines against many regulated entities. As a result, the federal government and several states have already taken cues from NYDFS. With the SEC and Department Of Justice eager to tighten up cybersecurity compliance, New York’s latest amendments will likely serve as a template for governance decisions around the country.
Companies can get a leg up on incoming rules, though, by planning compliance strategies early and thoroughly. They should review their cybersecurity, incident response, business continuity, and disaster recovery plans, and seek legal advice in the event of a cybersecurity incident or attack. Are you prepared?
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Brian Montgomery is partner at Pillsbury and a former NYDFS deputy superintendent.
Mark Krotoski is partner at Pillsbury and former national coordinator for the Computer Hacking and Intellectual Property Program at Department of Justice.
Write for Us: Author Guidelines