Yesterday, the New York State Department of Financial Services (“DFS”) released draft regulations on cybersecurity potentially effecting all entities licensed or permitted by DFS.  The DFS Press release is here:  http://www.dfs.ny.gov/about/press/pr1609131.htm and the draft regulations can be found here:  http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.  DFS first announced its intention to issue these regulations in a letter to federal regulators in November 2015, seeking collaboration with the relevant federal authorities.  

In the DFS press release, Governor Cuomo noted that “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.  This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”  See http://www.dfs.ny.gov/about/press/pr1609131.htm.

Under the draft regulations, DFS-regulated entities must:

The regulations have a proposed effective date of January 1, 2017 and will allow 180 days for compliance, which DFS regulated entities will have to certify in writing to DFS.

The draft regulations also cover types of information not directly related to financial services, including health care information and “[a]ny information that can be used to distinguish an individual or trace an individual’s identity,” including “employment information.”  This broad sweep causes the draft DFS regulations to overlap with other regulatory schemes, such as the various state data breach notification and cybersecurity requirements, HIPAA, the Gramm-Leach-Bliley Act, and potentially the Federal Trade Commission Act.  HSE will be publishing a more detailed analysis of the regulations and this overlap following this blog post.