Cybersecurity Regulations Can Move at Lightning Speed; Don’t Get Burned!

As we have noted previously on the new DFS cybersecurity regulations, 23 N.Y.C.R.R. Part 500, the regulatory process is—by definition—vastly more swift and adaptable than the legislative process. What may get bogged down in legislative committee for months or years can be hammered out in a matter of days in the administrative state.

Case in point: the newly proposed 23 N.Y.C.R.R. Part 201, which would require consumer credit reporting agencies to register with the Department of Financial Services in order to do business in New York State, and also expressly subjects these agencies to Part 500. These proposed additions to Title 23 come in the wake of the Equifax breach, and were announced less than seven working days after news of the Equifax breach broke the evening of September 7, 2017. The proposed regulations can be found here and are subject to a 30-day notice and comment period beginning October 4, 2017. They are drafted with rolling effective dates, depending on the section of Part 500 involved, beginning on April 4, 2018.

The lesson to take from these developments is that regulatory changes in relation to Part 500 can be swift and may be driven by cyber headlines. For example, with the news that also broke today concerning a back-door malware delivery system built into certain Avast software, DFS may deliver guidance about vetting application security, which is already covered under 23 N.Y.C.R.R. § 500.07, or accelerate application security requirements under Part 500, which are currently only scheduled to go into effect on September 3, 2018. Certainly, the Equifax breach is not the last cyber headline that will move regulators to act, and it isn’t the last breach that may change the way we all have to deal with Risk Assessments and breach planning. Change is the new normal on the cyber regulation front, and the Equifax breach has underscored the accelerated pace of that change.


Spreading the word about cyber risk
What does the Equifax breach mean to your organiza...


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.