New York Department of Financial Services (NYDFS)

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

2017 brought a new trend in cybersecurity law – state agency rulemaking independent of legislative action. To be sure, Massachusetts has long had cybersecurity regulations on the books, but those regulations were enacted based on a legislative mandate. What occurred in 2017 is different because individual state agencies in New York, Colorado, and Vermont took it upon themselves to promulgate regulations directed at filling a perceived need to ensure that regulated entities were taking proper steps to protect confidential information. That action – and the expectation that we will see more in 2018 – has added another level of complexity to the web of state and federal laws that govern this area. In fact, in another sign that we can expect even more action in this area, at the end of 2017, the National Association of Insurance Commissioners issued a 13 page model data security law. Continue Reading State Cybersecurity Regulations: A Look Back at 2017