On September 1, 2018, Colorado’s breach notification statute update became effective. The legislation bolsters data privacy protections by requiring notice to Colorado residents affected by a data breach and the Colorado AG within 30 days of determining that a security breach occurred. It also sets forth the content of notice to residents, expands the definition of personal information, mandates certain data security protocols and amends requirements relating to disposal of PII.
Additionally, following a transitional period, “covered entities” are now required to be in compliance with various requirements of the New York Department of Financial Services’ revised cybersecurity regulation.
Broadly speaking, it applies to “covered entities” under New York’s Banking Law, Insurance Law or Financial Services Law. As of September 1, 2018, covered entities must, without limitation, conduct risk assessments, maintain data retention policies and monitor access to non-public information. Covered entities must also implement controls, including encryption, to protect nonpublic information held or transmitted both in transit over external networks and at rest.
The DFS’ cybersecurity regulation is the first of its kind in the nation. Not only are banks, insurance companies and other financial services institutions regulated by DFS required to have a cybersecurity program designed to protect consumers’ private data, they must also have written policies that are approved by the board or a senior officer, and take steps to ensure the safety and soundness of New York’s financial services industry.
Covered entities must also begin reporting cybersecurity events to DFS through the DFS’ online cybersecurity portal. Covered entities can also virtually file notices of exemption, which are due within 30 days of the determination that the covered entity is exempt.
A cybersecurity event is reportable if it falls into at least one of the following categories:
- The cybersecurity event impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
- The cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity. Further information regarding the types of events that require reporting can be found here.
“This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber-attacks,” said Superintendent Maria T. Vullo. “With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.”
Contact a privacy lawyer if you are interested in learning more about this topic or other nationwide privacy and data security developments. Richard Newman is a digital marketing attorney at Hinch Newman LLP. Follow him on LinkedIn at FTC Defense Lawyer.
Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777