As we have noted previously on the new DFS cybersecurity regulations, 23 N.Y.C.R.R. Part 500, the regulatory process is—by definition—vastly more swift and adaptable than the legislative process. What may get bogged down in legislative committee for months or years can be hammered out in a matter of days in the administrative state.
Case in point: the newly proposed 23 N.Y.C.R.R. Part 201, which would require consumer credit reporting agencies to register with the Department of Financial Services in order to do business in New York State, and also expressly subjects these agencies to Part 500. These proposed additions to Title 23 come in the wake of the Equifax breach, and were announced less than seven working days after news of the Equifax breach broke the evening of September 7, 2017. The proposed regulations can be found here and are subject to a 30-day notice and comment period beginning October 4, 2017. They are drafted with rolling effective dates, depending on the section of Part 500 involved, beginning on April 4, 2018.
The lesson to take from these developments is that regulatory changes in relation to Part 500 can be swift and may be driven by cyber headlines. For example, with the news that also broke today concerning a back-door malware delivery system built into certain Avast software, DFS may deliver guidance about vetting application security, which is already covered under 23 N.Y.C.R.R. § 500.07, or accelerate application security requirements under Part 500, which are currently only scheduled to go into effect on September 3, 2018. Certainly, the Equifax breach is not the last cyber headline that will move regulators to act, and it isn’t the last breach that may change the way we all have to deal with Risk Assessments and breach planning. Change is the new normal on the cyber regulation front, and the Equifax breach has underscored the accelerated pace of that change.