M. Ridgway Barker co-authored this article with Joseph Bambara, CIPP/US.
Cybersecurity laws in the United States vary significantly by the business sector. There is currently no single U.S. cybersecurity law of general application. Most businesses must comply with sector-specific federal and state laws.
Healthcare organizations for example may need to comply with the Federal Health Insurance Portability and Accountability Act (“HIPAA”). Many financial institutions are required to comply with the Gramm-Leach-Bliley Act (“GLBA”). Some state laws impose additional requirements. On March 1, 2017, the New York Department of Financial Services (“DFS”) enacted a regulation known as the Cybersecurity Requirements for Financial Services Companies Part 500 of Title 23 of the New York Codes, Rules, and Regulations (“23 NYCRR 500” ). The regulation requires banks, insurance companies, and other financial institutions (“Covered Entities”) regulated by the DFS to implement cybersecurity programs. This regulation was a response to the increasing financial systems data threats posed by various criminal actors. In much the same way as HIPAA protects health care information, the New York regulation protects financial information. 23 NYCRR 500 calls for Covered Entities to implement data security, risk assessments, documentation of security policies, and the designation of a chief information security officer (CISO) to be responsible for the program The objective being a preventive and reactive policy that can mitigate any security incident that occurs. Additionally, there is an extensive overlap in the requirements outlined in the 23 NYCRR 500 regulation and existing requirements. Most of the NYDFS' requirements are at least, in part, already addressed by GLBA. However, there is also more detail outlined in 23 NYCRR 500 requirements that dive deeper into sub-requirements the 23 NYCRR 500 will look for from Covered Entities. That said, 23 NYCRR 500 is a good start but may not be adequate to stop the pandemic-based surge in cybercrime. See here.
Although the 23 NYCRR 500 regulation was enacted in 2017, the DFS only recently filed a statement of charges against its first offender, the First American Title Insurance Company, the second-largest real-estate title insurer in the U.S. The First American hearing will be held on October 26, 2020. The charges allege that a First American data breach exposed millions of documents containing consumers' personal information. The statement of charges alleges that a vulnerability in First American's information systems resulted in the exposure of consumers' personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers' license images. The DFS alleges that from October 2014 through May 2019, due to a vulnerability known to First American, these records were available to anyone with a web browser. The charges allege that the vulnerability went undetected for approximately four years. Upon discovery in December 2018 by a penetration test, First American did not remedy the exposure for an additional six more months. Independent security journalist Brian Krebs revealed that First American had 885 million sensitive customer financial records exposed on its website for anyone to access. It was only after the Krebs publication that First American reported the breach to DFS, as required under 23 NYCRR 500.17.
The First American information web accessed system at issue allows title agents and other First American employees to share any document with outside parties. In April 2018, this system contained 753 million documents, 65 million of which had been designated by First American as containing non-public information (“NPI”). However, the statement of charges also points to an April 2018 presentation by senior members of First American’s information security management teams to its board of directors that demonstrated that within a random sample of 1,000 documents in the system, 30% of those documents containing NPI were not designated as such. Therefore, there may have been millions of documents containing NPI that were not designated properly.
DFS alleges multiple failures of First American’s handling of the breach, including:
- failure to comply with their own published internal policies,
- failure to conduct a security review and risk assessment of the poorly designed software and SQL data exposing sensitive NPI data,
- misclassifying the known vulnerability as “low” severity despite knowing the magnitude of the exposure,
- failure to investigate the vulnerability within the timeframe dictated their own published internal policies,
- conducting an unacceptably minimal review of exposed documents,
- failure to follow the recommendations of its own internal cybersecurity team, and delegating remediation to unqualified staff.
Ultimately, DFS claims that First American violated six provisions of 23 NYCRR 500 that require each covered entity to:
- Maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information system based on a risk assessment and designed to perform core cybersecurity functions;
- Maintain a written policy or policies, approved by a senior officer or the board of directors, setting forth the Covered Entity’s policies and procedures for the protection of its information systems and the NPI stored on those systems, based on the risk assessment;
- Limit user access privileges to information systems that provide access to NPI and shall periodically review such access privileges;
- Conduct periodic risk assessments sufficient to validate the design of the cybersecurity program;
- Provide regular cybersecurity awareness training for all personnel; and
- Implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit and at rest.
The 23 NYCRR 500 regulations are implemented pursuant to Section 409 of the Financial Services Law. A violation of Section 408 with respect to a financial product or service, which includes title insurance, is subject to penalties of up to $1,000 per violation. DFS alleges that each instance of NPI encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation. Given the potential of 885 million First American documents containing NPI, whether designated as such or not, the penalties will be massive. As this is the first 23 NYCRR 500 enforcement action, it demonstrates DFS’s willingness to pursue penalties and re-emphasize the importance of a compliant cybersecurity program. Notwithstanding GLBA, 23 NYCRR 500 is one of the first cybersecurity regulations of its kind in the U.S. It will hopefully serve as a model for other regulators, including the U.S. Federal Trade Commission, the other states and the National Association of Insurance Commissioners.
In addition to legislation and regulation addressing cybersecurity, enterprises need to upgrade software and data storage which predates the internet and the rise of cybercrime. Unfortunately, businesses including First American are still using centralized storage when it comes to data. Legacy database systems based upon Structured Query Language (SQL) today maintain the majority of the world's books and records. See here. In contrast to a blockchain and distributed ledger technology, they are a centralized data store, i.e., a ledger run by one administrator. The key differentiator is centralization which brings some benefits and sadly some big problems. For example, scaling, accessing, and storing data is relatively easy and fast. However, the problem is the chance of the data getting compromised or corrupted by malicious actors. Another big problem is how the data can be modified by anyone who is in control of the database itself. This can happen as the database is centralized in nature. A database utilizes data structure, i.e., a schema to store information. All the data that is stored in a database can be queried using a language construct such as SQL data manipulation language ("DML"). However, this appears to be changing. Blockchain-based storage solutions are gaining popularity. See here. The cryptographic access key can be revoked at any time, further reducing the risk of a breach. Thanks to the decentralized nature of blockchain technology, hackers no longer have a single point of entry, nor can they access entire repositories of data in the event that they do get in.
In summary, whether you are an NYS regulated financial institution or not, companies with a current information security plan, policies, and procedures should update their policies to reflect these requirements. Any company that does not currently have an information security plan, policies, or procedures should be proactive and use 23 NYCRR 500 as a guide to creating your plan. The financial industry is the most regulated from a cybersecurity standpoint because they have the highest likelihood of being targeted by hackers. By creating your company’s information security system based on the requirements and guidelines outlined in this regulation, you take a strong step in establishing a compliant information security plan. Moreover, enterprises should also consider blockchain as a data privacy solution. Blockchain platform ensures that your data is encrypted, which means that access and modification to the data is a difficult task. Blockchain and distributed ledger storage give enterprises a way to ensure that sensitive data is safe, secure, and uncompromised.
Our Withers team can help you safely prepare your businesses from both a technical and legal standpoint incorporating these emerging technology trends in a customized, secure and efficient manner. We have the experience and know-how to help you stay ahead of the competition.
For more information please contact your regular Withers attorney or the author of this piece.