Each October the Department of Homeland Security celebrates National Cyber Security Awareness Month, a national public awareness campaign that encourages businesses and individuals to take steps to protect themselves from cyber threats.
As we have noted previously on the new DFS cybersecurity regulations, 23 N.Y.C.R.R. Part 500, the regulatory process is—by definition—vastly more swift and adaptable than the legislative process. What may get bogged down in legislative committee for months or years can be hammered out in a matter of days in the administrative state.
The sheer size of the recent Equifax breach—affecting nearly half of all Americans and potentially more than half of those over 18—is staggering. It is the nature of the breach, however, and the type of information taken, that gives the greatest pause.
On October 3, 2012, Nationwide Mutual Insurance Company and its wholly-owned subsidiary Allied Property & Casualty Insurance Company experienced a data breach when a hacker exploited a vulnerability on the companies’ web application hosting software. This hack resulted in the compromise of the personal information of 1.27 million consumers, including social security numbers, driver’s license numbers, credit scoring information, and other data used to provide insurance quotes.
Few things have upended the world of cybersecurity regulation in the United States recently more than the new cybersecurity regulations issued by the New York State Department of Financial Services (“DFS”) in March of this year. Found in 23 N.Y.C.R.R. Part 500, these new regulations are sweeping in scope and reach far beyond the financial services sector in New York, affecting entities that support that sector as well as a number of other entities that may not have thought of themselves as governed, even in part, by DFS.