While GDPR is a looming shadow for many organizations, laws of states like New York comprise many similar requirements. In this second part of our GDPR series, we look at how the New York Department of Financial Services (NYDFS) Cybersecurity Regulations affect acquisition due diligence acquirers in a similar way to GDPR.
Recently, NYDFS updated its Frequently Asked Questions page to address cybersecurity compliance due diligence requirements for NYDFS Covered Entities (organizations doing business under the New York Financial Services or Insurance Laws) seeking acquisitions. The response indicated that “Covered Entities will need to do a factual analysis of how these (cybersecurity) regulations apply to that particular acquisition.” In other words, with regard to companies supervised by NYDFS, the sort of cybersecurity compliance that was widely discussed as good business practice in the wake of the data breach disclosures by Yahoo during its acquisition by Verizon are now, arguably, required of financial services acquirers in New York. This requirement holds even if the target isn’t an organization supervised by NYDFS.
The good news, and there is some, is that the NYDFS Cybersecurity Regulations, at 23 NYCRR 500, mandate provisions many companies are already implementing as part of their compliance initiative to meet the European Union’s General Data Protection Regulation (GDPR) standards by the GDPR effective date of May 25, 2018. GDPR applies to US companies that offer goods or services to the EU, or track online behavior of individuals in the EU (which would be almost every US company engaged in some form of e-commerce).
Compliance with GDPR, then, will also be a critical element in acquisition due diligence. NYDFS regulations overlap with many GDPR requirements, including a documented risk assessment; a documented process to meet a 72-hour data breach reporting deadline; designation of an individual with overall responsibility for implementation and monitoring of required safeguards; encryption of protected data at rest and in motion; and annual reporting of compliance efforts signed by someone in a senior management position.
US companies should, in the interest of avoiding unnecessary duplication of effort, be aware of how they can leverage compliance efforts of one regulatory regime to meet the mandates of the other. Conversely, as we have written, non-US companies should be aware of the distinctions between their home regulatory regimes and the security and privacy compliance mandates of the many US states in which the target may do business.
If you need assistance with meeting these myriad cybersecurity and privacy requirements for due diligence or for your own organizations, please contact Kenneth N. Rashbaum.