The DFS Cybersecurity Regulation 22 NYCRR 500 (“Regulation”) requires businesses operating under NY banking, insurance, and finance laws to implement and maintain certain cybersecurity practices, including risk assessments, documentation of security policies, management of third-party providers, and set strict requirements for data breach reporting. Even though the Regulations were issued in March 2017, they did not become fully effective until March of 2019, following a two-year phased implementation process.
On Wednesday, July 22, the Department of Financial Services (“DFS”) filed its first enforcement action against a leading title insurance provider alleging multiple violations of the Regulation. This enforcement action provides important guidance to those covered entities subject to the Regulation and signals that the DFS is now ready to actively begin enforcing it. This, of course, comes at an interesting time given the heightened risks and challenges organizations face because of the COVID-19 pandemic.
Enforcement Action Summary
The enforcement action at issue alleges that a vulnerability resulted in the exposure of millions of files that included consumers’ bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images. Of note, the DFS alleges that the respondent:
1. Failed to follow its own policies to conduct a security review and risk assessment of the vulnerability and the exposed information.
2. Misclassified the vulnerability within the system as “low” severity and failed to investigate the vulnerability within its own defined time period.
3. Failed to conduct a reasonable investigation into the scope and cause of the exposure after the data exposure was discovered.
4. Failed to follow the recommendations of its internal cybersecurity team to conduct a further investigation into this vulnerability.
5. Did not implement centralized and coordinated training to protect against the unauthorized exposure of sensitive information.
The DFS alleges that these errors not only led to a data exposure that lasted a few years but also violated six provisions of the DFS’s Cybersecurity Regulation including:
1. Section 500.02 requiring a cybersecurity program informed by risk assessment
2. Section 500.03 requiring a written policy approved by a senior officer of the board of directors
3. Section 500.07 requiring access controls
4. Section 500.09 requiring periodic risk assessments
5. Section 500.14(b) requiring regular training
6. Section 50015 requiring encryption in transit and at rest
The Regulation is pursuant to Section 408 of the Financial Services Law, which carries penalties of up to $1,000 per violation in respect to a financial product or service, including title insurance. The DFS alleges that each instance of Nonpublic Information within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation. This action is scheduled for a hearing before NYDFS beginning on October 26, 2020.
The full DFS press release on its enforcement action is available here.
Lessons Learned
Businesses should follow their own policies, focus on employee training, and employ people who are well adverse in data security and privacy.
-Businesses should not underestimate the level of risk associated with vulnerabilities.
-Business must follow their own cybersecurity policies and related internal policies and procedures. If representations are made throughout policies, it is critical that they are adhered to. For example, if the policy commits to performing a risk assessment, it is imperative that the business carry out its commitment and perform the risk assessment.
-Vulnerabilities must be regularly reviewed and identified. They must be taken seriously, and any security lapses must be addressed.
At Octillo, our lawyers are also technologists and are highly knowledgeable in cybersecurity and data privacy and regulatory compliance. We have worked with numerous businesses on DFS inquiries and regulatory compliance efforts including policy development and training. Our team can help your company mitigate risks, while assessing the effectiveness of your cybersecurity program. Octillo will help you better understand the Regulation’s requirements and legal implications while also helping reduce risk and manage privacy matters.
*Attorney Advertising. Prior results do not guarantee a similar outcome.*