Last week, NYS DFS began sending out e-mail notices to individuals stating that they had failed to comply with the Certification of Compliance requirement under 23 N.Y.C.R.R. § 500.17(b), which mandates that a Covered Entity under the regulations certify compliance annually. The deadline for certification was February 15, 2018.
For many of the individuals that received these notices, they have likely been helpful, as the individuals may not have realized that they too are Covered Entities under the regulations. Importantly, no mass e-mailing went out to all Covered Entities before the February 15 certification deadline, reminding them that they had to comply, so some Covered Entities may have still been in the dark in relation to these new regulations. The problem arises for certain other individuals that may have received this notice who are covered by the complete exemption from Part 500 contained in § 500.19(b). This exemption reads:
An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.
See 23 N.Y.C.R.R. § 500.19(b) (available here)).
A complete exemption is just that—complete. But DFS seems to be taking the position that even individuals subject to the complete exemption under § 500.19(b) should have filed a Certification of Compliance under § 500.17(b) by February 15. Specifically, DFS states, in recent updates on their Part 500 landing page:
People who received the reminder are required to file the Certificate of Compliance even if you filed for an exemption under 23 NYCRR Part 500.19. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for exempted entities. Covered Entities are required to file a Certificate of Compliance to confirm that they are in compliance with those provisions of the regulation that apply to the Covered Entity.
DFS’s Part 500 landing page is available here.
DFS’s comment in this regard is clearly directed at the limited exemption under Part 500.19(a), which has specific “requirements that the Department believes are necessary for exempted entities,” such as the certification under § 500.17(b). Specifically, § 500.19(a) exempted entities are still required to comply with the following sections of Part 500:
- § 500.02: Cybersecurity Program
- § 500.03: Cybersecurity Policy
- § 500.07: Access Privileges
- § 500.09: Risk Assessment
- § 500.11: Third Party Service Provider Security Policy
- § 500.13: Limitations on Data Retention
- § 500.17: Notices to Superintendent (which includes the Certification of Compliance under § 500.17(b))
Adding to this confusion, DFS has posted its guidance concerning the recent e-mail notice on its DFS landing page, not its FAQs page (which can be found here). In DFS’s defense, a Covered Entity looking for guidance might find the landing page if it Googled “DFS certification notice failure Part 500,” but the title of DFS’s landing page is “NYSDFS: Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500),” and is displayed second, currently, in such a Google search, with the first result being DFS’s FAQ page. A link to the Google search results (which may change as searches are run and the Google search algorithm reacts) can be found here.
The upshot of all of this is that more guidance is required from DFS to resolve the issue of whether fully exempted entities under § 500.19(b) must still file a Certification of Compliance under § 500.17(b), which, according to Part 500, they currently do not. More importantly, this makes clear that Covered Entities now need to keep two eyes on the DFS regulatory guidance ball, monitoring both the FAQ page and the Part 500 landing page for updates from DFS. Stay tuned to this blog for any developments in this regard.