In early September 2016, the New York Department of Financial Services ("DFS") proposed a set of data security regulations (the "Proposal") that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency ("covered entities"). After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016. If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy ("WISP") and outline specific provisions (substantive and procedural) that must be contained in that document. While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.
Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their jurisdiction some, or all, of the company's security program must be reduced to writing; three states required that an employee be specifically designated to maintain a security program.1 More importantly, the Federal Gramm Leach Bliley Act ("GLBA") contains broad requirements that mimic many of the Proposals provisions. This includes, for example, the requirement that a financial institution conduct a risk assessment and maintain data breach response procedures.
The real question, therefore, is what, if anything, would the Proposal add to the mix of data security laws to which financial institutions are already subject? The following are five main provisions that stand-out as unique:
- Multi-Factor Authentication. Multi-factor authentication means that someone can only access a network if they are able to provide multiple forms of authentication - in other words you must provide more than a simple user name and password. The Proposal would require that within a year most covered entities require at least two different forms of authentication before permitting someone outside of their network from accessing internal systems. The Proposal would be one of the first - if not the only - regulatory mandate that a company adopt multi-factor authentication. That said, many financial institutions have already adopted multi-factor processes as a control that they (or the industry) self-identified in response to foreseeable risks associated with unauthorized log-ins if a consumer's username and password is compromised.
- Data Retention Policies. Keeping records for only as long as they serve a business purpose is a best practice when it comes to data security for the simple reason that you can't breach what a company does not keep. Few state statues mandate, however, that records be destroyed after their business purpose has expired. The Proposal would require that 18 months after the regulation goes into effect companies securely dispose of data when it is no longer needed.
- Application Vulnerability Scanning. Scanning software applications for vulnerabilities is a relatively common practice particularly when the application is internally developed. Often times, however, companies do not internally develop software. Where a company obtains an application from a third party, it may be less common that they subject the application to vulnerability scans and some financial institutions simply rely upon the security representations of the developer. The proposed regulations would require that financial institutions develop written standards to be used in-house when developing software applications. The regulations would also require that if a financial institution uses software or applications developed by a third party, the institution must have a procedure for evaluating, assessing or testing the security of the externally developed application as it is applied in the institution's environment.
- Audit Trails. Audit trails refer to logs that document the actions taken on various information systems. For example, audit trails may establish who accessed an application, what actions were taken within the application, what data left the application, and where that data was sent. The Proposal indicates that if a financial institution's risk assessment indicates that the institution must create audit trails to detect (and investigate) cyber security events, those logs must be kept for at least five years.
- Account activity monitoring. Many companies monitor the activity of their internal users (e.g., employees) and external users (e.g., customers) for signs of suspicious activities that may indicate an account has been compromised. The Proposal would require that financial institutions create policies, procedures and controls for such monitoring.
It is not yet certain whether the Proposal will go into effect. If it does, it will undoubtedly add to the greater patchwork of data security laws in the United States. It is unlikely, however, to signify a sea-change in data security standards.