Proposed Law

Subscribe to Proposed Law

In my previous post, I reviewed the New York State Department of Financial Services’ (NYDFS) findings and conclusions of survey results of financial institutions and insurers’ programs, costs, and future plans related to cybersecurity.

Anthony J. Albanese – Acting Superintendent of Financial Services – writes in a November 9, 2015 letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members that these conclusions have demonstrated a need for new cybersecurity regulations for financial institutions.

Such “robust regulatory action” would be a coordinated effort between state and federal agencies to create a thorough cybersecurity framework addressing critical concerns as well as covering New York-specific interests.

Potential regulations implemented by the NYDFS would require covered financial entities to meet specific cybersecurity obligations in the following areas:

  • Cybersecurity policies and procedures;
  • Third-party service provider management;
  • Multi-factor authentication (i.e., requiring covered entities to apply such authentication to customer, internal, and privileged access to confidential information as well as any access to internal systems or data from an internal network);
  • Chief Information Security Officer (i.e., covered entities will be required to have a CISO responsible for overseeing and implementing a cybersecurity policy, among other duties);
  • Application security (i.e., covered entities must have and set forth written policies, procedures, and guidelines to ensure the security of all applications utilized by the entity which need to be updated annually by the CISO);
  • Cybersecurity personnel and intelligence (i.e., covered entities will need to hire cybersecurity personnel who can handle certain cyber risks and perform core functions of “identify, protect, detect, respond and recover,” as well as providing mandatory training to such personnel);
  • An audit function; and
  • Notice of cybersecurity incidents.

Some of these proposed requirements are set forth in more detail below.

 

Cybersecurity Policies and Procedures

Covered entities, Albanese writes, would need to implement and maintain written cybersecurity policies and procedures addressing the following areas:

(1) information security;

(2) data governance and classification;

(3) access controls and identity management;

(4) business continuity and disaster recovery planning and resources;

(5) capacity and performance planning;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and application development and quality assurance;

(9) physical security and environmental controls;

(10) customer data privacy;

(11) vendor and third-party service provider management; and

(12) incident response, including by setting clearly defined roles and decision making authority.

 

Third-party Service Provider Management

Albanese wants covered entities to ensure that third-party cybersecurity policies and procedures are implemented. Third-party service providers who hold or have access to sensitive data or systems will need to adhere to certain contractual terms, including the following provisions:

(1) the use of multi-factor authentication to limit access to sensitive data and systems;

(2) the use of encryption to protect sensitive data in transit and at rest;

(3) notice to be provided in the event of a cyber security incident;

(4) the indemnification of the entity in the event of a cyber security incident that results in loss;

(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor; and

(6) representations and warranties by the third party vendors concerning information security.

 

Audits

Annual penetration testing as well as quarterly vulnerability assessments will be a new requirement for covered entities. Such entities will also be responsible for maintenance of an audit trail system that perform the following functions:

(1) logs privileged user access to critical systems;

(2) protects log data stored as part of the audit trail from alteration or tampering;

(3) protects the integrity of hardware from alteration or tampering; and

(4) logs system events, including access and alterations made to audit trail systems.

 

Notice of Cybersecurity Incidents

Covered entities, Albanese writes, will need to immediately notify the NYDFS of any cyber security incident that is reasonably likely to materially affect such entity’s normal operation, including a cybersecurity incident

(1) that triggers certain other notice provisions under New York Law;

(2) of which the entity’s board is notified; or

(3) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.

 

These potential requirements are subject to further review and revision by the NYDFS, and there is no timetable for when these requirements will become the law of the land in New York. It will be interesting to see if and when covered entities begin implementing these requirements in advance of a legal obligation to do so. Will other states’ regulatory agencies enact similar regulations modeled on the NYDFS proposals? Look for developments on this topic in the news and on this website.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

In reaction to two surveys of more than 150 regulated banking organizations and 43 regulated insurers in New York, the state’s Acting Superintendent of Financial Services issued a letter to all Financial and Banking Information Infrastructure Committee (FBIIC) Members addressing the need for potential new cybersecurity regulations in the financial sector.

The New York State Department of Financial Services (NYDFS) expects that the November 9, 2015 letter will trigger more “dialogue, collaboration and, ultimately, regulatory convergence” among New York agencies on “strong” cybersecurity norms for financial institutions.

In the letter, Anthony J. Albanese – Acting Superintendent of Financial Services – discusses the NYDFS’ review of the two surveys which were conducted in 2013 and 2014. The surveys asked about the banks’ and insurers’ programs, costs, and future plans pertaining to cybersecurity. Albanese writes that the findings of those surveys led to some additional actions:

  • The NYDFS expanded its information technology examination procedures to focus more attention on cybersecurity;
  • NYDFS began conducting risk assessments of its financial institutions in late 2014 and early 2014 to compile information about risks and vulnerabilities;
  • In response to a realization of the financial industry’s reliance on third-party service providers for banking and insurance functions, the NYDFS conducted an additional survey of regulated banks in October 2014, specifically pertaining to banks’ management of third-party service providers; and
  • NYDFS published an April 2015 update to its earlier report with the most critical observations.

Those reports and risk assessments as well as the “dozens of discussions” the NYDFS has held with New York financial entities, cybersecurity experts, and other stakeholders have led to several “broad conclusions,” Albanese writes:

  • Financial institutions need to stay “dynamic” to keep pace with ever-changing technological advances and sophisticated cyberthreats;
  • Financial institutions’ third-party service providers must also have sufficient cybersecurity protections as these service providers often have access to an institution’s sensitive data and information technology systems; and
  • Cybersecurity is a “global concern” that affects every industry as evidenced by recent data breaches.

My next post will analyze the proposed regulatory actions and requirements NYDFS is considering for financial institutions and insurers.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

The White House is building on recent laws addressing cybersecurity in the United States with the release of a new Cybersecurity National Action Plan (“CNAP”). The plan focuses on:

  • improving cybersecurity awareness and protections;
  • additional privacy and security protections for individuals through the creation of a permanent Federal Privacy Council;
  • maintenance of public safety, economic security and national security through a new Commission on Enhancing National Security; and
  • encouraging citizens to take better control of their digital information and security.

CNAP includes a request to Congress to invest over $19 billion for the 2017 Fiscal Year Budget, which is a 35% increase to resources allocated to cybersecurity during FY 2016.

The plan is highlighted by a new Commission on Enhancing National Security (“Commission”). The Commission will be comprised of top technical, strategic, and business advisors in the private sector chosen by bipartisan Congressional leadership.  It will make detailed recommendations to improve cybersecurity awareness both inside and outside the government.  The Commission will also make specific findings about improving national security and empowering citizens to better handle their digital security.  These recommendations and findings must be reported to the President before the end of this year.

The White House looks to make significant improvements in government cybersecurity as part of a $3.1 billion Information Technology Modernization Fund, which will allow agencies to modernize outdated IT infrastructure, networks and systems. A new Federal Chief Information Security Officer will be solely dedicated to developing, managing, and coordinating cybersecurity policies, strategies and operations in the federal government.  The Department of Homeland Security will have new federal civilian cyber defense teams to protect associated networks, systems and data.  The plan also calls for disrupting cyberattacks and improving cyber incident response.

CNAP’s concern for citizens’ privacy and security is reflected in an Executive Order making the Federal Privacy Council permanent. Privacy officials from across the government will help ensure that more strategic and comprehensive federal privacy guidelines are implemented.  The Administration wants citizens to leverage multiple layers of authentication when logging into online accounts instead of just a password. Extra factors like a fingerprint or a single use code via text message are ways to improve online security. The federal government is accelerating adoption of this approach for citizen-to-government digital services, such as tax and health benefit information.  The White House’s new milestones for the 2014 BuySecure Initiative will build upon the already 2.5 million issued Chip-and-PIN payment cards.

Research and development will continue to be a focus with a new Federal Cybersecurity Research and Development Strategic Plan. The strategic plan outlines research and development goals so that U.S. can advance cybersecurity technologies.  CNAP further mentions working with the Linux Foundation’s Core Infrastructure Initiative to maintain and improve internet infrastructure.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

U.S. Capitol Building, Washington, D.C.A recent bill proposed by the U.S. Senate states requirements for publicly traded companies to increase transparency about cybersecurity threats, risks and breaches. The bill includes disclosure standards such as having publicly owned companies reveal whether anyone on its board of directors has cybersecurity expertise or specialization. Companies would provide this information through U.S. Securities and Exchange Commission investor reports.

The bill stems from an urgency to combat cyber threats in light of investigative findings from cybersecurity practices of top 100 financial firms as well as recent attacks on major publicly traded companies like Sony and Home Depot. If the bill passes, investors and shareholders can monitor how well public companies secure private data and information, motivating companies to enhance security measures.

In an effort to standardize data breach laws nationwide, Rep. Marsha Blackburn (R-Tenn) introduced H.R. 1770 to the House and Energy Commerce Committee this past week. Called the Data Security and Breach Notification Act, it aims to replace all state data breach laws with one federalized standard. Currently, 47 states and the District of Columbia have separate and distinct data breach laws. Rep. Blackburn’s legislation intends to make it easier for U.S. companies to adhere to data breach requirements by creating uniformity.

U.S. Capitol Building, Washington, D.C.If passed, H.R. 1770 would require any company that “acquires, maintains, stores, sells or otherwise uses data in electronic form that includes personal information”[i] to “implement and maintain reasonable security measures and practices to protect and secure personal information.”[ii] While companies with security breaches must have notification requirements, such notifications can be evaded if there is “no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security.”[iii] However, in cases where more than 10,000 individuals’ personal information is “accessed or acquired by an unauthorized person,” the breached company would be required to inform both the Federal Bureau of Investigations and/or the Secret Service.[iv] If enacted, the legislation would give enforcement powers to state Attorneys General and the Federal Trade Commission.[v]

Following its approval by the House Energy and Commerce Committee on April 15, H.R. 1770 is expected to potentially see the floor under the guidance of Chairman Fred Upton (R-Mich) sometime the week of April 20.

References
[i] Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 5(5) (2015).
[ii] H.R. 1770 at § 2.
[iii] H.R. 1770 at § 3(a)(3).
[iv] H.R. 1770 at § 3(a)(5).
[v] H.R. 1770 at §4(a)-(b).

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

It is midway through 2014 and there have been updates to four existing, and one new, state breach notification laws.  Iowa and Florida have substantively amended their current breach notification laws, both of which went into effect on July 1, 2014, and Kentucky has become the 47th state to implement a breach notification law, which went into effect on July 14, 2014.

Idaho and Vermont also amended their data breach laws.  Idaho’s amendments were merely technical and did not change the substance of the law.  Vermont’s amendments were similarly technical, but a provision was added that requires a Vermont law enforcement agency to notify a business in writing if it has a reasonable belief that a security breach has or may have occurred at the business.

Iowa’s Breach Notification Law

Starting on July 1, 2014 Iowa’s amended breach notification law created a few changes that will impact when and who an individual or business must notify if there is a data breach.  The highlights of the amendments are as follows:

  •          A “Breach of Security” now includes an unauthorized acquisition of Personal Information that was transferred from computerized form to any medium, including paper.
  •          “Personal Information” now includes encrypted, redacted, or otherwise altered data elements if the keys to unencrypt, unredact, or otherwise read the data elements were acquired through the security breach.
  •          An expiration date is now included as a data element for combination with account numbers or credit or debit card numbers.
  •          Notification must now be provided to the Director of the Consumer Protection division of the Office of the Attorney General if the breach includes more than 500 Iowa residents.

Florida’s Breach Notification Law

Florida implemented the Information Protection Act of 2014 that repeals the existing data breach law and implements strengthened notification requirements.  The new law was signed by Governor Rick Scott on June 20, 2014, and went into effect on July 1, 2014.  The new law redefines a Covered Entity, expands the definition of Personal Information, and expands the notification requirements if there is a data breach.

Florida’s new breach notification law redefines a “Covered Entity” as any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or governmental entity that acquires, maintains, stores, or uses Personal Information.

In addition to what the original law included, “Personal Information” now includes a username or email address in combination with a password or security question and answer that would permit access to an online account.  Further, “Personal Information” includes the following new data elements:

  •          A passport number, military identification number, or other government issued number used to verify identity.
  •          The medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  •          The health insurance policy number or subscriber identification number in combination with a unique identifier used by the health insurer.

The new Florida law also provides that Personal Information does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.

If there is a data breach, notice must be provided to individuals in Florida as expeditiously as practicable and without unreasonable delay, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.  Notice of a data breach may be delayed by a federal, state, or local law enforcement agency if the agency believes notice of the data breach will interfere with a criminal investigation.  Notice of a data breach must be provided to consumer reporting agencies without unreasonable delay if the data breach requires notification of more than 1,000 individuals at a single time.  The new Florida law expands the notification requirement to include the Department of Legal Affairs.  Notifying the Department of Legal Affairs is only required if the security breach affects 500 or more individuals in Florida (Florida’s breach notification law does not refer to residents, unlike other states’ breach notification laws).  Notice to the Department of Legal Affairs must be provided as expeditiously as practicable, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.

The new Florida law also requires specific information to be included in a data breach notification, depending on to whom such notification is addressed.  When notifying an individual of a data breach by written or email notice, the notice must include:

  •          the date, estimated date, or estimated date range of the breach;
  •          a description of the “Personal Information” accessed or reasonably believed to have been accessed during the breach; and
  •          the contact information for the individual to reach the entity.

When notifying an individual of a data breach by substitute notice, which method can be used if the written notice or email notice is not feasible because the cost of providing notice would exceed $250,000, the affected individuals exceed 500,000 persons, or the “Covered Entity” does not have a mailing address or email address for the affected individuals, the notice shall include:

  •          a conspicuous notice on the entity’s website, if the entity maintains a website; and
  •          notices in print media and in broadcast media, including major media in urban and rural areas where the affected individuals reside.

When notifying the Department of Legal Affairs of a data breach, the notice must be in writing and include:

  •          a synopsis of the breach;
  •          the number of Florida residents affected by the breach;
  •          any services being offered to the affected individuals;
  •          a copy of the notice to the individuals or an explanation of other actions taken; and
  •          the contact information of an employee or agent the Department of Legal Affairs may contact to obtain further information about the breach.

Kentucky’s Breach Notification Law

Kentucky became the 47th state to pass a breach notification law.  Governor Steve Beshear signed H.B. 232 into law on April 10, 2014, and the law went into effect on July 14, 2014.  The new law will require any individual or business entity that conducts business in Kentucky and maintains computerized data that includes Personal Information to notify residents of Kentucky of a Breach of Security.  A “Breach of Security” is an unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by the individual or business entity and actually causes, or leads the individual or business entity to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky.

“Personal Information” means an individual’s first name or first initial and last name combined with any one or more of the following data elements, when the name or data is not redacted:

  •          Social Security number;
  •          driver’s license number; or
  •          account number, credit or debit card number, in combination with any security code, access code, or password that would permit access to an individual’s financial account.

The timing of the breach notification shall comply with the following requirements:

  •          The breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  •          The breach notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation.  The notification shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.

With respect to the manner of the breach notification, the notice may be provided by one of the follow methods:

  •          written notice;
  •          electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or
  •          substitute notice, if the individual or business entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or that the individual or business entity does not have sufficient contact information.  Substitute notice shall consist of the following: (a) email notice, when the individual or business entity has an email address for the subject persons; (b) conspicuous posting of the notice on the individual or business entity’s website, if the individual or business entity maintains a website; or (c) notification to major statewide media.

Notwithstanding the above, any individual or business entity that maintains its own notification procedures as part of an information security policy for the treatment of “Personal Information,” and is otherwise consistent with the timing requirements, shall be deemed to be in compliance with the notification requirements of the Kentucky statute if the individual or business entity notifies the subject persons in accordance with its policies in the event of a breach of security of the system.

In what amounts to a potential, unprecedented victory for consumers’ right to know how their personal information is used by businesses, California’s "Right to Know Act of 2013" (AB 1291) made further headway by being re-read and amended a second time on Monday, April 1st.  As reported by Ars Technica, the Right to Know Act, which was introduced by California Assembly Member Bonnie Lowenthal, was the result of significant lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California.

The current summary of the bill states:

(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.

This bill would create the Right to Know Act of 2013, would repeal and reorganize certain provisions of existing law, and would provide legislative findings in support thereof.

(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.

This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

(3) Existing law also requires a business that is required to comply with these provisions to provide information to customers regarding its privacy policy and to provide a designated means of preventing disclosure of personal information.

This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.

(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.

This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.

In other words, the Act also provides a private right of action to consumers for businesses that do not comply with the Act.

The EFF appears to be quite pleased with the bill, as noted in its press release on April 2nd.  The EFF noted that the point of the law if to allow consumers to better understand the vast economy that is data sharing: "This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn’t limit or restrict sales of data, and it wouldn’t provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

It will be interesting to see (1) if the Act continues toward enactment, (2) how companies outside of California, but with information regarding California residents, implement the law, and (3) if this very European-style law catches on in other states.  

 

Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL) proposed federal legislation last week that would create a two tier standard of protection of private information, whereby “covered information” would fall under the standard “opt-out” method and “sensitive information” would fall under an “opt-in” method.

The proposed legislation breathes new life into perennial dead on arrival legislation, and potentially offers something the Obama administration can support in fulfilling its promise to close existing gaps in federal privacy legislation.

The phrase "Sensitive Information" includes any information that relates to the individual’s medical records, race or ethnicity, religious beliefs, sexual orientation, financial records or precision geolocation information.

Opponents of the legislation have jumped all over it, claiming that it does not go far enough to protect individuals, especially in the online context. Others cite that European laws remain the gold standard for privacy protection, and that this legislation avoided going that far because of backlash from business.

Continue Reading New Effort at Federal Privacy Law Big On Promises

The New York Times had an interesting article on Friday discussing a recent trend in state legislatures to prevent the use of credit reports as a tool for private businesses to screen job applicants.  According to the article, more than a dozen state legislatures are currently considering such legislation.

With the downturn in the economy, the continually rising cost of health care (and the lack of insurance because of unexpected unemployment) and the failure of recently unemployed to change their spending habits, the issue of poor credit has affected more and more individuals.

To fight this potential trend to prohibit the use of credit reports in the hiring process, credit reporting agencies such as TransUnion (you know, one of the companies that sells the credit reports to those private businesses) has lobbied to block such legislation.  A tactic has been to sell the credit report as a mechanism to protect your business and employees.  Don’t you care enough to protect your employees, you monster?  This approach is why there are parents paying $800 for a baby stroller.  Apparently, these efforts have been successful in some states, such as California, Maryland and Connecticut.

But what does a tainted credit report really tell you about the applicant?  The article does a keen job of pointing out that there have been no comprehensive studies on the correlations between poor credit and employee fraud and theft, but a small study cited found no such correlation.

If your business does credit checks as part of a background check on a potential employee, I suggest you read the article and consider a few questions.  First, do you get written permission to obtain the credit report?  (You need that written permission under federal law.)  Second, does your human resources staff understand that it cannot make employment decisions based solely on the credit report?  (You should not do that.)  Finally, do you really need the report, meaning does it really tell you anything and, if it does, do you limit your practice of obtaining the report to positions that involve the handling of money or positions that come with other fiduciary responsibilities?