Jon Neiditz and Julie C. Grundman | Kilpatrick Townsend & Stockton LLP
The State of New York’s response to two large cybersecurity breaches may fuel the transformation of the state regulation of corporate cybersecurity in the U.S. Unlike typical state data breach statutes which focus on notification to individuals about breaches of some types of personal information, New York’s new cybersecurity rules impose minimum standards for protecting both critical business and individual nonpublic information, highlighting New York’s concern with both consumer protection and the health of the financial sector. In response to the highly-publicized Equifax breach, on September 18, 2017, New York’s Governor Andrew Cuomo directed New York’s Department of Financial Services (NYDFS) to issue a proposed new regulation1 requiring credit reporting agencies to comply with New York’s high-bar Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Rules”).2 Governor Cuomo’s action signals New York’s willingness to expand its new model of cybersecurity regulation, mandating company’s protect the confidentiality, integrity, and accessibility of not just individuals’ personal information, but also material business information, which we call a company’s “knowledge assets” or “crown jewels.” On September 25, 2017, the Guardian reported that Deloitte Touche Tohmatsu Limited, the Big Four professional services firm with its operational headquarters in New York City, experienced a cybersecurity breach that affected its email system and client records, among the most critical nonpublic business information of a professional services firm.3 What, aside from lobbying efforts, is to stop Governor Cuomo from proposing that the New York Cybersecurity Rules cover accounting firms as well?
The History of Cybersecurity Regulation
U.S. regulators have typically issued cybersecurity guidance instead of cybersecurity regulations, heeding legitimate industry concerns over prescribing ineffective “check the box” cybersecurity standards that do not make organizations more secure, and acknowledging that no “one-size-fits-all” cybersecurity solution exists. The ever-evolving nature of cybersecurity threats and technology makes cybersecurity regulation an especially challenging issue. In February 2014, the National Institute of Standards and Technology (NIST), in collaboration with industry and academia, published a voluntary cybersecurity framework to help organizations manage cybersecurity risk.4 The Department of Homeland Security (DHS) offers voluntary programs and resources for critical infrastructure providers, and works to facilitate public-private cyber information sharing.5 The Federal Trade Commission (FTC) provides cybersecurity guidance and brings enforcement actions against companies for unfair or deceptive practices that endanger the personal data of consumers.6 As for credit reporting agencies, while the Consumer Financial Protection Bureau (CFPB) has authority to enforce violations of consumer protection laws by consumer credit reporting agencies, and the FTC can bring civil lawsuits, the authority of the CFPB and FTC to monitor cybersecurity practices is less clear.