By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
Cybersecurity breaches are getting a lot of attention nationally, not only for their design and simplicity in execution but also for the astonishing ease at which it disrupts everyday systems. No longer just idle talk among a handful of states who have already passed privacy laws, or whispers in Congress of uniform federal regulation, cybersecurity and data privacy thinkers and collaborators are rising to meet the moment. It is often overwhelming to think that protecting our proprietary information and wrestling back our private data will be one of the greater generational challenges going into the latter parts of this century.
Sure, it is easy to dismiss such cyber events as financially motivated. It is after all about the money when it comes to ransomware. But as we discover further, these breaches are too about gathering intelligence to unlock confidential trade secrets, opening a strategic business advantage, or simply draining resources to expose vulnerabilities. So preparation is key and proactive thinking will be a must. Some will rush to artificial intelligence to carry out the principle that offense is the best defense. But in the meantime, the laws are evolving quickly in this area with states stepping up to dictate the chorus of cyber readiness and compliance mandates, leaving aside that the European Union sprinted miles ahead years ago when it came to issues of cybersecurity and data privacy with the General Data Protection Regulation (“GDPR”).
So with a list of new state laws and regulations already on the books, and more coming, and cyber compliance weaving straight into the fabric of the corporate infrastructure and agendas of decision-makers, a two-part question emerges. From a business standpoint, what about enforcement, and to what degree should it be keeping corporate CEOs already up at night? The short answer is that enforcement actions are rolling, particularly in states like New York, and could be coming to a train station near you without the right security and privacy compliance programs in place, both domestically and internationally, before an attempt is made to breach the corporate gates rather than dealing with it in the aftermath.
In the Matter of Residential Mortgage Services, Inc.
Back in March of this year, the New York State Department of Financial Services (“NYDFS”) announced a settlement with Residential Mortgage Services, Inc. (“RMS”) where the licensed mortgage banker agreed to pay a $1.5 million penalty. This came after a July 2020 examination uncovered evidence that RMS had been the subject of a cyber breach in 2019, which was not reported to DFS and violated New York’s Cybersecurity Regulation Part 500.17. Pursuant to the consent order, DFS had commenced an examination of RMS during a two-year review period. During this review, DFS discovered that eighteen months earlier an employee, who collected a substantial amount of sensitive personal data from mortgage loan applicants, had responded to a phishing email, providing additional authentication and ultimately causing unauthorized access. It went on to characterize IT’s failure to direct further inquiry upon determining that access had been limited to the employee’s email account as “especially egregious” in light of the employee’s handling of private data, like social security and bank account numbers.
RMS had been required to notify DFS under 23 NYCRR 500.17(a)(1) within 72 hours of having determined that a cybersecurity event occurred. Instead, after approximately eighteen months post-breach, and at the urging of DFS, RMS then initiated an investigation and finally considered the required consumer and state breach notification laws. Notably, DFS also discovered that RMS was missing a comprehensive cybersecurity risk assessment in violation of 23 NYCRR 500.09(a). Dissecting its findings regarding the value of a comprehensive cybersecurity risk assessment is particularly instructive since DSF called such an assessment “the foundation of the risk-based cybersecurity program required by the Cybersecurity Regulation.”
These assessments can be incredibly helpful, not to mention predictive, in forecasting an organization’s vulnerability to a cyber breach or attack. But a generic preprogrammed out-of-the-box solution is one of the most common pitfall mistakes. Presenting an organization with that kind of boilerplate solution is nothing more than a tactical band-aid that overlooks the basic principles that cybersecurity and data privacy are not one-size-fits-all. As anyone knows who has earned their battle scars in business, using simple tactics over strategic thinking is the surest way to underperformance and maybe even getting outright run over. Corporations should engage the C-suite with legal counsel that is in fact strategic in their thinking and committed to finding practical solutions in a regulatory area of the law that frankly demands a commitment to innovative thinking. Each corporation’s infrastructure is tailored to its operational blueprint, and just as its stress points are unique to its foundation, so too must its security and privacy programs work synergistically in that footprint to both achieve compliance and avoid impeding its growth at the same time.
It is no surprise then that DFS echoed some of these same principles directly in the consent order with RMS. In fact, it plainly stated that these cybersecurity risk assessments are indeed fundamental to a cybersecurity program required under 23 NYCRR 500.09(a). Each regulated entity must have a clear idea of the types of specific risks it has to deal with and also “design” such a program to meet those risks. Accordingly, by performing these risk assessments, a company will be in a better position “to shape” such a program and mitigate possible threats. DFS stressed that a cybersecurity risk assessment serves “to evaluate cybersecurity risks,” as well as protect the company’s information systems and numerous classifications of data. It also stressed that an “assessment should result in thoughtful cybersecurity programs specifically tailored to safeguard the confidentiality of company and consumer data.” This acknowledgment that cybersecurity assessments should be “designed” and “shaped” to the company footprint in order to ultimately “tailor” a “thoughtful” program that protects the integrity of confidential data strongholds within the company itself should not be overlooked. In short, it is a statutory road map of sorts to not only understand how to protect one of a company’s principal assets, i.e., its proprietary data, from a business perspective but also how to achieve legal compliance without unduly placing both goals at odds.
In the Matter of National Securities Corporation
Again in April, NYDFS announced it had reached another settlement related to its Cybersecurity Regulation. This time with National Securities Corporation (“NSC”), whereupon the licensed insurance company would pay a penalty of $3 million to New York State. These violations, according to DFS, had “caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of New York consumers.” DFS stated in a press release they discovered in the course of an investigation that NSC had been the target of four cyber breaches during a two-year period, and two of those breaches had not been reported in violation of 23 NYCRR 500.17(a). These cyber events allowed unauthorized access to the email accounts of company employees as well as independent contractors. DFS also uncovered, among other things, that NSC failed to fully apply Multi-Factor Authentication (“MFA”) in violation of 23 NYCRR 500.12(b), nor did it implement something reasonably equivalent or use more secure access controls approved in writing by the company’s Chief Information Security Officer. Furthermore, DFS stated that NSC falsely certified annual compliance for 2018 in violation of 23 NYCRR 500.17(b) as a result of MFA having not been fully implemented.
As part of the consent order, DFS called MFA “the first line of defense” to guard against unauthorized access, including the use of phishing emails sent to deceive users into turning over personal details or other confidential information then used to gain unauthorized entry into a protected information system. Regarding remediation and similar to the matter involving RMS, DFS stated in the Order that NSC “shall continue to strengthen its controls to protect its cybersecurity systems and the private data of consumers” in accordance with 23 NYCRR 500, specifically by submitting (1) a comprehensive written Cybersecurity Incident Response Plan pursuant to 23 NYCRR 500.16; (2) a comprehensive Cybersecurity Risk Assessment of its information systems pursuant to 23 NYCRR 500.09; and (3) policies and procedures for training and monitoring pursuant to 23 NYCRR 500.14, along with the most recent cybersecurity awareness training for all personnel.
So an important takeaway is this. Any one of these three remedial measures cited by DFS in either consent orders could be done proactively to potentially avoid/mitigate such an enforcement action and the costly penalties and monitoring that follow, especially putting together a workable Cybersecurity Incident Response Plan and performing a Cybersecurity Risk Assessment to shore up an organization’s stress points before a breach occurs. More to the point, the statute makes clear that training and monitoring must be “designed to monitor the activity of authorized users” and “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.”
Meaning that these training programs, like most essential guides to winning business philosophy and strategy, should be both “designed” and implemented with the unique organizational blueprint in mind. Bottom line – there just really are no shortcuts. An organization cannot cut and paste its security and privacy programs into compliance. It has to go beyond mere academic assumption theorems that rely heavily on unproven abstract hypotheticals. It must address instead the fault lines directly at the source using science as a primer, looking at actual psychology and behavior that can prepare employees to actively avoid granting unauthorized access using concrete and quantifiable real-life analytics to head off the problem in the first place.
Cybersecurity and data privacy’s arc is at its three-quarter turn. Having gone from a pure IT issue only five years ago to the inclusion of legal with the passage of constantly evolving state regulatory laws and now the forecasted extension of those laws – enforcement. The final turn of course will be the passage of a uniform federal law to ultimately tie this current patchwork together. Proactively addressing cybersecurity concerns within an organization is the key to implementing a successful defense against outside forces seeking to gain unauthorized access to the organization’s most valuable asset, i.e., its confidential proprietary data.
Each company’s profile is unique and so too must it tailor its cybersecurity compliance readiness plan to the organization’s distinctive identity and structural footprint. Compliance regulations are complex and continuously evolving so skilled cyber legal counsel that also combines practical thinking is a must. Accounting for the diversified business needs and blueprint of the organization will ensure it is protected every step moving forward and increase its potential for avoiding costly enforcement actions, not to mention crippling government oversight, along the horizon.
Reprinted with permission from the November 10, 2021, issue of the New York Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2021 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.