I don’t mean to ruin your holiday weekend, but we thought to send out a friendly reminder on the next set of rolling deadlines and requirements from New York’s financial services cybersecurity law (23 NYCRR 500). A regulated organization that must comply with the law, or “covered entity,” is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” in New York state. Not all requirements apply to all businesses subject to the law, as there are several exemptions. That said, as applicable, the following requirements should be in place by Sept. 3, 2018.

  • Encrypt, encrypt, encrypt. As we wrote about this summer, you can never undervalue encryption as a tool to not only prevent threats, but improve overall compliance. Regulated organizations must implement security controls, including encryption, to protect information in transit over external networks and information at rest. Encryption is not mandated, but a company is expected to evaluate its capability to encrypt and find reasonable alternatives, if not possible. Regular review of such controls is required. See Section 500.15.
  • Train and verify. Organizations must continue to develop and document a training and awareness program to educate employees on organization policies to safeguards information, to include auditing employee compliance. See Section 500.14.
  • Audit. Regulated organizations must maintain an audit trail of all systems and financial transactions and keep such records for (at least) five years. Other requirements apply. See Section 500.06.
  • Security of applications.  Regulated organizations need to develop and maintain the administrative safeguards (policies and procedures) to ensure any newly developed applications used by the organizations meet the necessary security requirements. See Section 500.08.
  • Data retention policy and schedule. Organizations need to develop or update their data retention and destruction policy to ensure timely removal and destruction of personal information that is no longer required for business operations. Exceptions exist for legal requirements or the feasibility of such retention and deletions. See Section 500.13.

As always, we encourage you to consult the law and your legal counsel, as needed, to determine what requirements apply to your business and what exemptions may be available. But, as we see across the country, including Ohio recently, states are continuing to demand good data governance from businesses in all sectors that use sensitive and personal information. Ok, go enjoy the last few days of summer.