A Post-Equifax World: The Times They Are A Changin'
We now live in a post-Equifax world. When we look back at this time in history, I truly believe that is how we will measure cybersecurity regulations. How we approached cybersecurity pre-Equifax and how we approach cybersecurity post-Equifax. There is no point in denying that the cyber-world has fundamentally shifted. People who were paying little-to-no attention to cybersecurity are now running to their “tech guy” to find out what type of security their company employs. So what can we expect from this post-Equifax world, you may be asking? Simply (and yet there is nothing simple about it), more regulations.
On September 18, 2017, Governor Andrew M. Cuomo of New York directed the Department of Financial Services (DFS) to issue a new regulation that would make credit reporting agencies register and comply with New York’s Cybersecurity Regulation (23 NYCRR Part 500). This regulation, which became effective on March 1, 2017, requires insurance companies, and other financial services institutions regulated by the DFS, to have a cybersecurity program designed to protect consumers’ private data. The program must include a written policy or policies that are approved by the board or a senior officer, a Chief Information Security Officer to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of those financial institutions. A covered entities must also begin reporting cybersecurity events to the DFS through the Department’s online cybersecurity portal.
New York celebrates the fact that its Cybersecurity Regulation was a “first in the nation” type of regulation. It is not, however, the last. Shortly thereafter, and following in the footsteps of DFS, the Colorado Division of Securities adopted cybersecurity regulations applicable to broker-dealers, investment advisers and other fund managers who purchase securities or conduct business in the state. Colorado’s regulation is more limited in scope that the New York Cybersecurity Regulation: it only applies to broker-dealers purchasing securities in the Colorado and investment advisors doing business in the state. Further, there is no requirements for third party vendors. Colorado also follows a reasonableness standard and applies that standard to the covered entities to determine if they are in compliance. Reasonableness includes, annual risk assessments, using secure email, including encryption and digital signatures for emails containing Confidential Personal Information, authentication of clients’ email instructions and employee access to electronic communication, and disclosure to clients of the risks of using electronic communications.
Delaware is another state revamping its cyber-regulations. On August 17, 2017, Delaware enacted House Substitute 1 for House Bill 180, which affects businesses who suffer cybersecurity breaches. Those businesses will face far more stringent notification requirements than previously required. Until the bill goes into effect, businesses that experience a cybersecurity breach are required only to notify the affected Delaware citizens “without unreasonable delay.” A standard which is fairly commonplace amongst cybersecurity notification laws. However, as of April 14, 2018, companies will need to provide notice within 60 days, except in limited circumstances.
In addition to these states, Texas, Vermont, and Illinois have also enacted new cybersecurity legislation. While some of this legislation was being considered and was pending before Equifax, I think it is safe to say that these laws are merely the tip of the proverbial iceberg when it comes to protecting consumers. Thus far, the most stringent cybersecurity regulations have been in the areas of healthcare and the finance. However, what Equifax has shown is that siloing cybersecurity into only certain industries has left other industries -- and, as a natural consequence, many individuals -- more vulnerable and susceptible to cyber attacks.
As we sit here and ponder our lives post-Equifax the question on my mind is: what’s the next breach? Cybersecurity effects all of us. Businesses are starting to wake-up to the fact that it is not only certain groups that need to be concerned. A single breach can cause a small business to go out of business within 6 months. And that is just from the financial strain of addressing the direct effects of the breach. The secondary effects, like loss of consumer/client confidence, can be just as devastating. It is not just consumers that are impacted. Our businesses, our election process, our infrastructure can and will be affected by this cyber intensive, technology-driven world. The sooner we start thinking about cybersecurity as a necessity rather than a luxury, the sooner we will all be a little safer and more secure.
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.