As you know if you regularly read this blog, the New York State DFS finally finalized its “first-in-the-nation” cybersecurity rules with an effective date of March 1, 2017. And their reach is quite large: DFS-supervised entities from insurers and banks to mortgage brokers and credit unions (and their third-party service providers) will have to begin assessing their cybersecurity risks and responding with detailed cybersecurity programs headed up by chief information security officers. Various compliance deadlines under these regulations range 180 days after the effective date of the regulations to two years after the effective date for third-party service providers. For more information on the development and requirements of the DFS cybersecurity regulations see our articles: Getting Prepared for the New York Department of Financial Services’ Proposed Cyber Security Regulations, and New York Releases Revised Proposed Cyber Security Regulations.
Although the requirements are burdensome and the goals of the regulations lofty, a recent announcement from the New York Attorney General may make them more politically palatable. Last week Attorney General Eric Schneiderman announced a record number of data breach notices were received by his office in 2016, with breaches increasing 60% over 2015. In total, nearly 1,300 breaches were reported that exposed the personal records of nearly 1.6 million New Yorkers, though “mega-breaches” appeared to decline from the previous decade. Of the reported breaches, financial account information and Social Security numbers were the most frequently acquired information, together accounting for 81% of the breaches. Thus, although the DFS cybersecurity regulations were years in the making, their issuance on the heels of a year of record data breaches may yet prove prescient.
At the federal level, the tide seems to be turning the other way. The Trump administration’s “skinny budget” did include a $1.5 billion allocation to the Department of Homeland Security to fund various cybersecurity efforts from critical infrastructure protection to information sharing between federal agencies and the private sector. But budget cuts to other agencies may paint a more accurate picture of the administration’s cybersecurity priorities. For example, President Trump did not re-up President Obama’s pot of funds to be broadly distributed across the federal government for more widespread initiatives such as moving to multi-factor authentication, updating federal agencies’ severely outdated computer systems, and money to hire more qualified cybersecurity professionals into the federal workforce.
On top of Trump budget blueprint lacking this broader allocation of funds, the administration’s budget also proposes actual cuts to many agencies that house the personal information of U.S. citizens, including the SSA, ED, IRS, HUD, and HHS, among others. This budget proposal was released less than a week after a report from the White House’s OMB was released, which found that federal agencies suffered over 30,000 cyber incidents in 2016, and highlighted the need for departments across the federal government to strengthen their IT systems. Faced with potential budget cuts, a panel of federal agency Inspectors General testified before a House Appropriations subcommittee in early March that the cuts will force their agencies to make difficult decisions between modernizing and updating IT systems and maintaining or reducing the services they provide.
In Congress too, privacy priorities have shifted. Last week the Senate passed a resolution repealing broadband privacy rules issued by the FCC last year using the Congressional Review Act. This followed an FCC vote earlier in March, led by the newly-installed Commissioner, to stall the implementation of the data security portion of those rules. Commissioner Ajit Pai framed the votes as an effort to ensure that FCC rules are aligned with the approach to privacy regulation that the FTC has pursued, and added that the FCC is open to moving forward with a new framework. The House voted on Tuesday to pass the Senate’s resolution, which, if signed by President Trump, could leave a gap in federal privacy protections for internet consumers and cybersecurity regulations for internet service providers and those entities that collect and store consumers’ information.
Interestingly, the day after the House voted to pass the Senate’s resolution repealing the FCC’s privacy protections, a bipartisan group of senators introduced a bill called the Main Street Cybersecurity Act, aimed at assisting small businesses grapple with cybersecurity risks. In addition, Democratic legislators wrote a letter to the FCC on Tuesday urging the regulatory body to take action on the raising risks of cellphone cybersecurity. So there are some in the federal government that recognize resources and regulation may be needed to protect consumers.
Several states, however, have already followed New York’s lead to bridge the federal privacy and cybersecurity gap, including California and Connecticut’s recently updated laws limiting government access to email and other online communications and Illinois’ consideration of a “right to know” bill to let consumers find out the information certain internet companies collect about them. Unlike the DFS cybersecurity regulations, these and other such state privacy initiatives in New Mexico, Nebraska and West Virginia focus on the privacy of individuals rather than the strength of data collectors’ IT systems. The laws nevertheless do create regulatory requirements for the data collectors, and regulations directly governing these entities’ cybersecurity practices and preparedness may not be far behind as the discussion of privacy intensifies. The Connecticut Department of Banking, for example, has said that it is open to adopting new provisions to regulate cybersecurity after a review of New York’s regulations.
With these concerns finding champions in a few statehouses across the country, residents of states without these privacy protections may soon start to pressure their own state legislators and regulators to follow suit. Since privacy and cybersecurity are apparently areas where legislators are willing to reach across the aisle to protect their constituents’ (and frankly their own) private data, entities that operate in multiple states or across state lines could face a wrangled web of competing regulation as multiple states move to act where the federal government is not.