This is the first post in a two-part series about cybersecurity regulations and breach notification requirements.
Recent headlines of high-profile cyber-attacks confirm the maxim that the cover up usually causes more trouble than the event itself.
The latest attack and damaging cover-up is a hack on Uber that exposed personal data of 57 million riders and drivers around the world. Hackers accessed the data through a third-party, cloud-based service. Compromised information included email addresses and 600,000 driver’s license numbers.
Uber was hacked in November 2016, learned of the breach one month later, and finally made public disclosure on November 21, 2017. The company also revealed it told a potential investor about the breach before the news went public.
Although there is no proof location history, credit card numbers, banking information, Social Security numbers or dates of birth were compromised, Uber was legally obligated to alert both users and authorities of the breach. Instead, Uber, already facing an FTC investigation for similar privacy-related issues dating back to 2014, paid $100,000 in “hush money” — trusting the hackers to delete the information and keep quiet about it.
To further conceal the breach, Uber executives also made it appear as if the payout was part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to find soft spots.
The company fired its chief security officer and one of his deputies for their actions following the hack.
Now Uber faces scrutiny by federal and state regulators for its failure to disclose this massive data breach, and may also have violated international laws since the breach involved accounts around the world. Additional fallout includes a lawsuit seeking class-action status in California, and more are likely to follow.
The Uber situation, among others, provides timely context for a brief look at the rapidly evolving landscape of cybersecurity regulations and breach notification requirements.
New York Is First-Mover in Cybersecurity Regulation
On August 28, 2017, New York State Department of Financial Services (DFS) first-in-the nation cyber security regulation went into effect.1
Because the financial services industry is a significant target of cyber security threats, the groundbreaking law applies to any individual or company regulated by DFS (“covered entities”).2 Covered entities are required to comply with minimum requirements by February 15, 2018, including:
- Conduct a risk assessment of its information systems to identify internal and external threats facing the organization. The risk assessment must describe how external risks (like hackers) and internal risks (like employees, trusted vendors and independent contractors) will be ferreted out and mitigated and how the program will address those risks.
- Develop a cybersecurity program, based on the covered entity’s risk assessment.
- Develop a cybersecurity policy.
- Designate a chief information security officer (CISO).
- Limit those with access to non-public information or information systems.
- Use qualified cybersecurity personnel to manage cyber risks.
- Notify the DFS of a cybersecurity event within 72 hours and provide notice to consumers who have been affected by cybersecurity incidents.
- Maintain a written incident response protocol.
There are limited exemptions for smaller companies, with fewer than 10 employees (including independent contractors), less than $10 Million in year-end total assets, or less than $5 million in gross revenue.
Other New York Regulations
In early November, New York Attorney General Schneidermann proposed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which would cover credit reporting agencies and many other types of companies that collect personally identifiable information on individuals.3
This proposed legislation follows the Equifax breach that compromised data of more than 143 million Americans and 8 million New Yorkers.4 It applies to anyone holding private information of New Yorkers, rather than just those who “conduct business” in New York. In addition, the bill broadens the requirements for reporting a breach to the Attorney General to those who “access” private information in addition to those who “acquire” private information.
Among other things, the SHIELD Act would:
- Require notification for breaches of additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data. New York state law now requires that companies meet data security requirements only if the identifiable information contains a Social Security number.
- Require reasonable security for private information, based on the size of the business, and providing incentive to businesses that certify security compliance and provides clear examples of safeguards (e.g., technical, administrative, and physical measures).
- Carve out “compliant regulated entities,” that are already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (such as DFS cybersecurity regulations or HIPAA regulations).
- Provide safe harbor from state enforcement action for companies that have already been certified by other government data security regulations that their information security measures meet sufficient standards.
- Provide a more flexible standard and tailored requirements for small businesses with less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets.
On September 18, 2017, New York Governor Andrew Cuomo proposed new regulations that would subject consumer credit reporting agencies to the same groundbreaking cybersecurity rules that the state recently enacted for bank and insurance companies.5 Under the proposed regulations, every consumer reporting agency that maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018, and have in place a written cybersecurity program by April 4, 2018.
Regulatory scrutiny is a likely part of a cyber claim. Just as timely notice after a loss is required under every insurance policy, prompt disclosure of a breach event is an important aspect of the New York regulations.
Since these laws contemplate a 72-hour notice window, policyholders seeking coverage for a cyber claim should be aware that responsive cyber coverage might depend (at least in part) on strict regulatory compliance.
1 23 NYCRR 500 (implemented March 1, 2017), see http://www.dfs.ny.gov/about/cybersecurity.htm
2 While banks, insurance companies and other financial institutions are directly contemplated by the regulation, we note that public adjusters in New York are also governed by DFS and may be required to comply with these cyber security regulations unless they qualify for an exemption. Check back for future posts discussing the potential impact of these regulations on public adjusters and third parties who might have unexpected obligations to comply with this regulation.
4 On July 29, 2017, Equifax discovered that cyber criminals had seized personal data, including Social Security and driver’s license numbers for 143 million consumers, but did not reveal this to the public until September 7, 2017.