The New York Department of Financial Services (NYDFS) blazed a cybersecurity trail with its 2017 regulation for the protection of information collected and processed in, and systems used in the operation of, the financial services and insurance industries. The Empire State’s work has already formed the basis for the National Association of Insurance Commissioners’ model cybersecurity law, several states’ insurance laws, and similar laws for other industries in other states. With “imitation being the sincerest form of flattery,” other states and industries are expected to flatter the DFS by adopting similar requirements.
The NYDFS’ work has been game-changing and will continue to be highly influential. As important as the NYDFS Cybersecurity Regulation is, however, it would be a disservice not to remember the earlier federal and state governmental laws, regulations and guidances that built a foundation on which the NYDFS has erected its New York cyber skyscraper. Taken together, the legal landscape has been dramatically altered in recent years and more changes are inevitable.
Also, as governmental edicts about cybersecurity proliferate, so too do related requirements about data breach notifications and privacy protections.
The NYDFS Cybersecurity Regulation
After drafts and revisions, and plenty of industry comment, effective March 1, 2017, the NYDFS promulgated its Cybersecurity Regulation (23 NY CRR 500) to address the cybersecurity threats facing “Covered Entities,” defined to include all NYDFS licensees, including banks and other lenders, insurance carriers and producers, and others. Beyond other cybersecurity requirements found in existing U.S. laws and regulations, the NYDFS Cybersecurity Regulation expanded the scope of information to be protected by defining “Nonpublic Information” to include the traditional data sets that can expose individuals to identity theft and fraud, as well as information that, if compromised, could cause material harm to the Covered Entity. In addition, the NYDFS Cybersecurity Regulation also expanded the scope beyond information to include “Information Systems,” including systems used to process Nonpublic Information, as well as operations systems (including HVAC and telephone systems) needed to operate the Covered Entity’s business.
Also beyond other U.S. laws and regulations focused on cybersecurity, the NYDFS Regulation is highly prescriptive in identifying particular written policies and safeguards required to be adopted, particular requirements for general employee awareness and specific employee qualifications and training, and requirements for assessing and managing the cybersecurity risks presented by the Covered Entity’s use of third party service providers with access to Nonpublic Information and Information Systems. Most of these requirements are based on a required periodic cybersecurity risk assessment.
In addition, the NYDFS introduced a requirement to notify NYDFS of certain types of cybersecurity events within 72 hours, much quicker than existing U.S. breach notification requirements, but consistent with the notice deadline of the new European Union General Data Protection Regulation (GDPR). The notification requirement is also broader, encompassing certain breaches covered by existing state breach notice requirements, and including certain breaches of systems that could threaten the Covered Entity without compromising the types of information that could expose individuals to identity theft and fraud.
The NAIC Insurance Data Security Model Law
Following the lead of the NYDFS, in October 2017 the NAIC adopted its Insurance Data Security Model Law (NAIC Model) to establish insurance industry standards for data security, and for the investigation and notification of certain cybersecurity events. The NAIC Model applies to any individual or nongovernmental entity licensed, authorized, or registered under the insurance laws, with certain exceptions. An NAIC taskforce had been working on cybersecurity standards for two years, but substantially revised its prior working drafts to follow the concepts and terminology used in the NYDFS Cybersecurity Regulation. The NAIC Model has the potential to affect the entire insurance industry, including InsurTech firms and other service providers with access to the data and systems of insureds and producers.
The NAIC Model, while based on the NYDFS Cybersecurity Regulation, differs from it in several important respects. To address concerns about inconsistency among the states, a drafters’ note to the NAIC Model states that Licensees in compliance with the NYDFS Cybersecurity Regulation are deemed to be in compliance with the NAIC Model.
On May 3, 2018, the South Carolina Governor made South Carolina the first state in the nation to adopt a comprehensive cybersecurity statute for the insurance industry, by signing into law the South Carolina Insurance Data Security Act (H4655) based on the NAIC Model, which will become effective January 1, 2019.