2017 brought a new trend in cybersecurity law – state agency rulemaking independent of legislative action. To be sure, Massachusetts has long had cybersecurity regulations on the books, but those regulations were enacted based on a legislative mandate. What occurred in 2017 is different because individual state agencies in New York, Colorado, and Vermont took it upon themselves to promulgate regulations directed at filling a perceived need to ensure that regulated entities were taking proper steps to protect confidential information. That action – and the expectation that we will see more in 2018 – has added another level of complexity to the web of state and federal laws that govern this area. In fact, in another sign that we can expect even more action in this area, at the end of 2017, the National Association of Insurance Commissioners issued a 13 page model data security law.
New York Department of Financial Services
Beginning in 2015, the New York Department of Financial Services (NYDFS) began the process of drafting and issuing cybersecurity regulations impacting financial institutions under its jurisdiction. The NYDFS issued proposed regulations in September 2016 and revised regulations in December 2016, which became effective March 1, 2017. The final regulations are available here.
The regulations set forth an extensive set of requirements, including, among other things, that covered entities:
- Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems (Section 500.02);
- Implement and maintain a written policy or policies for the protection of the covered entity’s information systems and nonpublic information stored on those information systems (Section 500.03);
- Designate an individual responsible for overseeing the cybersecurity program and enforcing the cybersecurity policy (Section 500.04);
- Conduct penetration testing and vulnerability assessments (Section 500.05);
- Limit user access privileges (Section 500.07);
- Conduct risk assessments (Section 500.09);
- Implement written policies and procedures for third party service providers that handle confidential information (Section 500.11);
- Establish a written incident response plan (Section 500.16);
- Notify the DFS Superintendent within 72 hours of a “Cybersecurity Event” (1) of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body; or (2) that has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.
The regulation phases in its requirements by establishing tiered transition periods.
Colorado Division of Securities
In July 2017, Colorado became only the second state, after Vermont (discussed below), to issue cybersecurity rules applicable to broker-dealers and investment advisers. The rules were issued by the Colorado Division of Securities only weeks after New York enacted its cybersecurity regulations. The Division’s cybersecurity rules have been discussed, at length, in Chapter 4 of the Colorado Privacy & Cybersecurity Handbook.
In general, the Division’s rules are less prescriptive than the NYDFS’s cybersecurity rules but still require covered entities to identify potential risks, detect and protect against those risks, and prepare for and respond to cybersecurity events. The Division also recently published a checklist for complying with its rules.
Vermont Department of Financial Regulation, Securities Division
In May 2017, Vermont’s Department of Financial Regulation, Securities Division, promulgated cybersecurity rules applicable to “securities professionals,” defined as “any person providing investment-related services in Vermont, including: broker-dealers, agents, investment advisers, investment adviser representatives, solicitors, and third-party portals.” The regulations require those individuals to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” The procedures must provide for:
- An annual cybersecurity risk assessment;
- The use of secure email, including use of encryption and digital signatures;
- Authentication practices for employee access to electronic communications, databases and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
Vermont’s regulations also require securities professionals to maintain adequate cybersecurity insurance and to provide identity restoration services at no cost to consumers if there is a breach of consumer nonpublic personal information.
The question for 2018 is not whether more state regulators will follow the lead of New York, Colorado and Vermont, but rather how many more will do so. Indeed, the widespread reporting of breaches impacting investment and other financial information will only increase the desire of regulators to protect consumer personal information.