New York’s Newly Proposed Cybersecurity Regulations: Conflict or Harmony With the NAIC Draft Model Act?
In the spring of 2016, the National Association of Insurance Commissioners (“NAIC”) exposed its first draft of a data security model law applicable to insurers and producers (“Model Act”). That draft was amended and exposed again in August 2016. A final draft is expected late this year. Now, added to this landscape of data security regulation of insurers, on September 13, 2016, the New York Department of Financial Services (“NYDFS”) proposed its first set of data security/cybersecurity regulations, due to be effective on January 1, 2017. According to the proposed regulations, the regulatory scheme embodied in the regulations “is a priority for New York State” and by promulgating these regulations, the NYDFS deems it critical that New York financial services companies “move swiftly and urgently” to adopt compliant cybersecurity programs. Because insurance companies licensed both in New York and in other states that may adopt the Model Act must comply with both, and there are some key differences between the two regulatory schemes, complying with both could pose issues for insurers and producers.
Both the proposed NYDFS regulations and the Model Act include in their definitions of protected information the obvious categories of social security information, financial account information and health information, as well as any non-public information obtained from existing or potential policyholders during the insurance application process. However, the catch-all provisions of the proposed NYDFS regulations sweep into the definition of protected information, “[a]ny information that can be used to distinguish or trace an individual’s identity…” The Model Act, on the other hand, includes any other information “that would be sufficient to permit the fraudulent assumption of the consumer’s identity or unauthorized access to an account of the consumer.” It is possible that information that would be considered protected information in New York may not be considered protected under the Model Act. The Model Act may allow an individual’s identity to be distinguished or traced, but would not be sufficient to permit a fraudulent assumption of identity or unauthorized access to the consumer’s account. In the event of a breach, reporting requirements may be triggered in New York, but not in any Model Act states.
Under the Model Act, an insurer/producer must designate an employee to be responsible for assessing data security risks and developing and implementing a data security program. If the insurer/producer has a board of directors, the board (or a committee thereof) must oversee the development and implementation of the data security program and the employee responsible for the data security program must report to the board at least annually. Under the proposed NYDFS regulations, the insurer/producer must appoint a “qualified” employee to act as Chief Information Security Officer (“CISO”) to develop and implement the data security program. The CISO will report bi-annually to either the board of directors, or if no board, the “Senior Officer” responsible for the data security program. A “Senior Officer” must also approve the insurer/producer’s data security policy. Further, the proposed NYDFS regulations impose specific requirements for training and ensuring that employees responsible for implementing the data security program are regularly updated on “changing cybersecurity threats and countermeasures.” As the proposed NYDFS regulations appear more detailed and stringent, companies will likely choose to comply with the proposed NYDFS regulations regardless of any lesser requirements of the Model Act.
Under the Model Act, any data breach reports, or evaluations by the Commissioner as part of any examination, are confidential and not subject to production under any state or federal freedom of information act or sunshine law, and are not subject to production through subpoena or discovery request. No such provision exists in the proposed NYDFS regulations. This is reminiscent of New York’s original 2014 draft of its proposed regulations on enterprise risk and own risk solvency analysis (“ORSA”). The NYDFS initially took the position that the confidentiality of such communications were already covered under existing law. Based on industry comment, a provision was added to the enterprise risk and ORSA regulations allowing companies to request confidential status for such information. As this issue was the subject of numerous comments by insurers and producers in the Model Act drafting process, it is likely an issue that will generate similar comments from New York licensed insurers and producers.
Both the Model Act and the proposed NYDFS regulations require that large sophisticated insurers/producers maintain state-of-the-art security processes, such as encryption of data and multifactor authentication, although the proposed NYDFS regulations allow a delayed phase-in for encryption if “compensating controls approved by the … CISO” are used. The proposed NYDFS regulations also require the installation of audit trail systems that would allow reconstruction of transactions, and log user access and system events. For smaller, less sophisticated insurers/producers, such state-of-the-art techniques need only be used under the Model Act “as appropriate… commensurate with the sensitivity of the information, as well as the complexity and scope of the [companies’] activities based on generally accepted cybersecurity principles…” No guidance is given in the Model Act to determine how this sliding scale approach is to be used.
The proposed NYDFS regulations, on the other hand, have a more bright-line approach, and waive the use of such security processes for companies that have fewer than 1,000 customers, less than $5 million in gross revenue, and less than $10 million in year-end assets. Any insurer/producer that does not meet each of these requirements must employ the state-of-the-art security processes set forth in the regulations. Thus, smaller insurers/producers that might be able to take advantage of the Model Act’s sliding scale approach and tailor the security measures to their specific data security issues, may nonetheless be required to employ a state-of-the-art security system to comply with the proposed NYDFS regulations.
The Model Act contains provisions regarding the timing and content of notice to consumers and credit reporting agencies in the event of a breach. The Model Act also specifically grants to the Commissioner the authority to require the breached company to provide consumer protections for “12 months or more.” The proposed NYDFS regulations contain no provisions for consumer notice, notice to credit reporting agencies or consumer protections.
The above examples are just a few of the differences between the NYDFS regulations and the NAIC Model Act. As companies evaluate and implement cybersecurity regulatory requirements, they will need to harmonize the proposed NYDFS regulations and the Model Act obligations as they are finalized. Saul Ewing’s Insurance and Cybersecurity and Privacy Practices are available to assist in that process and will continue to monitor and report on developments in cybersecurity regulation as they occur. Please direct any questions about the proposed NYDFS regulations, the draft Model Act or this alert to the author at firstname.lastname@example.org