Updated: May 11
Bloomberg Law’s Senior Legal Editor Daniel R. Stoller posted this week more details on the New York Department of Financial Services (NYDFS) ruling that the major credit bureaus must comply by November 1st, 2018 with New York’s Cybersecurity Regulation.
NYDFS decided to include Equifax, Experian and TransUnion under the NYDFS Cybersecurity Regulation, or also known as the 23 NYCRR 500 Regulation, because of the 2017 Equifax and 2013 Experian data breaches. These rules will impose more strict cybersecurity requirements on the institutions that handle some of the most sensitive consumer data.
According to Bloomberg Law, Maria Vullo, the New York DFS Superintendent, said the “first-in-the nation rules were intended to safeguard New York’s markets, consumers and sensitive information from cyberattacks.”
One of the strictest of the new rules is the requirement that the credit bureaus must notify the NYDFS of a data breach within 72 hours. This notification requirement along with other data protection requirements mirrors that of the EU’s General Data Protection Regulation (GDPR).
Who Else is Affected?
Not just the credit reporting bureaus are affected by the 23 NYCRR Part 500. Actually the regulation has already rolled out to all New York financial institutions and includes:
Service contract providers
What Needs to be Done?
Many parts of the regulation requirements have been incrementally rolled out since March 1st, 2017 with five subsequent rolls outs of sub-regulations and requirements.
Financial institutions need to make sure they have in place the following:
Install a detailed cybersecurity plan.
Enact a comprehensive cybersecurity policy.
Designate a qualified Chief Information Security Officer (CISO) to oversee, implement and enforce the cybersecurity plan and policies. Organizations can use a third party to fill this role.
Use qualified and trained cybersecurity personnel to manage cybersecurity threats and responses. Organizations can use a third party to fill these roles.
Enact data encryption and controls of sensitive data.
Have incident reporting process in place and document and report all cybersecurity events.
Notify the NYDFS about cybersecurity potential risks.
Complete a certification with the NYDFS every year to confirm regulatory compliance.
Small and medium-sized companies can hire third party service providers to meet many of the regulation requirements.
The NYDFS included the credit bureaus under the Cybersecurity Regulation in response to the growing problem with cyber crime and the increasingly volatile cybersecurity issues facing U.S. financial institutions. The goal is to help safeguard sensitive customer data and to promote the integrity of the information technology systems of these regulated entities.
Christine Baird, CEO of Clarus Tech Partners, has a team of cybersecurity and compliance experts who advise and implement data security and privacy regulation solutions in New York, the U.S. and globally.