New York Cybersecurity Regulations Now Effective March 1 Will Impact Third Party Service Providers Including Law Firms

Jan 5, 2017 | Blog

The New York State Department of Financial Services (DFS) published revised Cybersecurity Regulations on December 28, 2016 that have pushed back the effective date of the regulations to March 1, 2017. The core provisions of the regulations remain intact and third parties, including law firms, will be affected as the requirement of entities covered by the Department for “Third Party Service Vendor Management” results in enhanced questions of law firms and other service providers on their cybersecurity and perhaps cybersecurity audits by the clients.

While certain provisions have been revised, one potentially nettlesome requirement remains unaltered. It requires that a Covered Entity notify the Superintendent of a “Cybersecurity Event” within 72 hours of the discovery of the event by the Covered entity. A “Cybersecurity Event” is defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”

Is malware or hacker “probing” or “pings” to detect information system weaknesses an intrusion attempt and, therefore, a “Cybersecurity Event” under this definition?  If so, how can the information security or IT department of a law firm or other provider notify its Covered entity client of possibly hundreds or thousands of such attempts each day? What will, or should, the service level agreement or law firm engagement letter require with regard to notification to the client about these probes or pings?

Law firm engagement letters have, over the years, become somewhat rote. That may be about to change, at least where the clients fall under these New York regulations.  Law firms may also be retained to negotiate agreements with such thorny provisions on behalf of Covered entities, service providers or even other law firms. Interesting times in law-firm-client-service provider relations lay ahead.

If you have questions regarding required components of third party service agreements concerning financial services organizations in New York, please contact Kenneth N. Rashbaum.