Recent enforcement actions and announcements show that state and federal regulators are continuing to focus intensely on cybersecurity and data protection. Notably, the New York Department of Financial Services (“NYDFS”) recently issued the latest proposed amendments to its Cybersecurity Regulations. NYDFS also recently announced a $4.25 million cybersecurity consent order with OneMain Financial Group, LLC (“OneMain”). In addition, the U.S. Federal Trade Commission (“FTC”) recently announced a settlement with genetic testing company 1Health.io (“1Health”).
New Proposed Amendments to NYDFS Cybersecurity Regulations
The NYDFS recently announced updated proposed amendments to its industry leading cybersecurity regulations. These latest amendments follow public comments on earlier proposed amendments circulated in November 2022. If adopted, companies regulated by NYDFS would face several new requirements, including the following:
- Class A Companies. The proposed amendments would create a new category of large “Class A companies,” defined as companies with at least $20 million in gross annual revenue in each of the last two years from business in New York and over 2,000 employees averaged over the last two fiscal years (regardless of location), or more than $1 billion in gross annual revenue over the last two years. Class A companies would be required to adhere to stricter requirements, including annual independent audits of their cybersecurity program, implementing a privileged access management solution, monitoring endpoint detection and response, and centralized logging and security event alerting.
- Board Approval of Cybersecurity Policies. Cybersecurity policies, which companies must have under existing rules, must be approved by the senior governing body of the company (e.g., the board of directors).
- Data Retention. Companies would be required to develop data retention standards as part of their required cybersecurity policy.
- CISO Reporting. A company’s chief information security officer (“CISO”), which companies must designate under existing rules, would be required to “timely report material cybersecurity issues” to the company’s board.
- Board Oversight and Competence. Company boards would be required to “exercise effective oversight over the company’s risk management” and “have sufficient understanding of cybersecurity-related matters to exercise such oversight.”
- Annual Penetration Testing. Companies would be required to conduct annual penetration testing of their information systems and perform automated scans of systems to uncover vulnerabilities.
- Encryption. The proposed amendment would update current regulations, which require businesses to encrypt nonpublic information, by mandating that such encryption “meets industry standards.”
- Incident Response. Companies’ incident response plans would be required to incorporate new information relating to backing up data and develop a business continuity and disaster recovery plan.
- Cybersecurity Notifications. The proposed amendments would also expand the current requirement that companies notify the NYDFS of cybersecurity events by expressly stating that such reporting covers affiliates and third-party service providers.
- Ransomware Payments. Companies would have to notify the NYDFS within 24 hours of any ransomware payments made in connection with a cybersecurity event.
Comments on the latest round of proposed amendments are due by Monday, August 14, at 5:00 p.m. ET.
OneMain Consent Order
NYDFS also recently entered into a consent order with OneMain, a publicly traded financial services company with consumer loan and mortgage service businesses regulated by the NYDFS. In connection with its investigation, NYDFS found that OneMain violated five separate requirements of the Cybersecurity Regulations:
- Cybersecurity Policy. OneMain maintained an insufficient cybersecurity policy that lacked the documentation required by 23 NYCRR § 500.03(e).
- Access Privileges. NYDFS found numerous deficiencies in OneMain’s access privileges, including sharing of administrative accounts, manual privilege reviews, which introduced “a high risk of human error that is unacceptable for a network with hundreds of applications and more than 11,000 users,” and passwords stored on shared drives under folders named “PASSWORDS.” 23 NYCRR § 500.07.
- Application Security. NYDFS found that OneMain lacked a formalized methodology to protect information systems and nonpublic information during application development and quality assurance operations. 23 NYCRR § 500.08.
- Cybersecurity Personnel and Intelligence Training. OneMain failed to provide secure coding training and did not effectively track or adequately implement training for its more than 500 information technology employees, which the NYDFS noted was a particular concern because “OneMain does extensive in-house application development and has created its own application programming interfaces.” 23 NYCRR § 500.10(a)(3).
- Third-Party Service Provider Security Policy. Finally, OneMain’s third-party vendor management policy was not appropriately implemented. In particular, NYDFS highlighted the fact that OneMain failed to perform timely due diligence for certain high- and medium-risk vendors, which “effectively render[ed] such risk ratings moot.” This included allowing vendors to work on certain systems before the completion of OneMain’s onboarding security questionnaire and third-party information security risk acceptance. 23 NYCRR § 500.11(a).
Notably, as we have seen in other recent consent orders, the OneMain enforcement action followed a routine examination conducted by NYDFS, demonstrating that the regulator will not wait for a cybersecurity event before acting.
FTC’s Genetic Data Settlement
In June 2023, the FTC entered into a settlement with 1Health, a California-based genetic testing company, over its alleged failure to “uniformly apply basic safeguards” to protect customers’ sensitive DNA and health data.
The FTC’s five-count complaint alleged the following:
- Security Misrepresentations. 1Health made false and deceptive misrepresentations about its cybersecurity standards, such as its claims that it exceeded industry security standards and segregated DNA results from customers’ identifying information. Among other things, the FTC highlighted 1Heath’s multiple uses of images of padlocks on its website to give website visitors the impression that the company took security seriously.
- Deletion Misrepresentations. 1Health misrepresented customers’ right to delete their data and destroy saliva samples. The FTC found that this was not possible because the company did not have an inventory of all its customers’ data and it did not have a contract in place with its laboratory partners to require saliva samples to be destroyed.
- Privacy Policy Misrepresentations. 1Health unfairly adopted retroactive changes to its privacy policy without notifying customers or obtaining consent. This included material changes related to the company’s policy on sharing sensitive information with third parties.
While the allegations in the complaint are undoubtedly serious, it is noteworthy that the settlement between the FTC and 1Health only resulted in a $75,000 fine.
Takeaways
Privacy and cybersecurity continue to be top of mind for state and federal regulators, as evidenced by these recent enforcement actions. Companies regulated by the NYDFS and businesses handling particularly sensitive data will continue to face the most persistent enforcement scrutiny. The importance of having robust cybersecurity and privacy programs in place is essential to reducing companies’ risk profiles.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.