In the absence of national cybersecurity legislation (except in healthcare), individual states are increasingly taking steps to protect the personal of state residents. These regulations may govern the information practices of your organization. If you have a website that reaches these states (all websites do) and offers your goods or services to state residents, or have customers, prospects or offices in these states, these new regulations may apply to you.
The cybersecurity regulations of the New York Department of Financial Services, which apply to organizations under the supervision of that Department, took effect in March, 2017 and are among the most highly prescriptive in the nation. Among other things, they require a documented risk assessment, a written cybersecurity policy, encryption of data at rest and in motion and notification of attempted or unsuccessful breaches within 72 hours, the shortest period in the U.S.
Colorado and Vermont recently passed financial services cybersecurity regulations and, while not as detailed as New York’s, the regulations of both states go beyond the reach of the New York provisions. Colorado’s regulations explicitly apply to investment advisors and broker-dealers, while New York’s rules do not directly pertain to such organizations.
These regulations should be carefully analyzed, as some of them comprise unique requirements. For example, Vermont’s financial services regulations apply broadly, to any organization that offers any form of financial services to state residents. Vermont requires such organizations to carry cyber risk insurance, and to offer “identity restorations services at no cost to consumers in the occurrence of a breach in the cybersecurity of consumer nonpublic personal information.”
The 2016 amendments to the Illinois Personal Information Protection Act have perhaps the broadest reach. They apply to all organizations that “for any purpose, handle, collect disseminate or otherwise deal with nonpublic personal information.” The amendments, which took effect in January of 2017, require such organizations to “implement and maintain reasonable security measures.” The statute also, like New York’s regulations, requires that a contract with a third party to whom such information is provided (such as a consultant, accountant or, perhaps, a law firm) contain a provision requiring the third party to maintain similar security safeguards for nonpublic personal information.
How can you keep track of these fast-developing requirements, let alone meet their requirements? There are common provisions among these laws and regulations, and so compliance with one state can be leveraged to meet many requirements of another. The effort is worthwhile. Some regulations, like Vermont’s, can be seen as the requirement for doing business in that state, so compliance will bring business opportunities that may not have existed previously.
If you have questions about meeting multiple state cybersecurity requirements, or how compliance can be a revenue generator rather than a cost center, please contact Kenneth N. Rashbaum.