Cybersecurity Update - What to Look for in 2017

It's a new year, but cybersecurity and data security remain hot button issues. The cybersecurity landscape in 2017 is, in many ways, still as unsettled and uncertain as it was in 2016. As we reported in December, a Presidential commission on cybersecurity issued a detailed report setting forth numerous recommendations to be addressed by the President and Congress going forward. It remains to be seen what direction the new Federal administration will take on the cybersecurity initiatives recommended by the commission. In the meantime, New York State and the Courts continue to struggle with the issue. Below are some of the cybersecurity issues to monitor as we go forward in 2017.

New York Department of Financial Services Cybersecurity Regulations

Last September, the New York Department of Financial Services ("DFS") issued proposed cybersecurity regulations for entities falling within its jurisdiction, including banks and insurers. Specifically, the "Covered Entities" under the regulations are defined to include: "any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, insurance law or the financial services law." The proposed regulations provided for fairly stringent data security protections across the board for all covered entities, including detailed cybersecurity programs, increased monitoring of vendors working with the covered entities, requiring the appointment of a chief information security officer ("CISO"), and a requirement to report any data breach within 72 hours.

The proposed regulations were met with significant concerns and criticisms for being too stringent and allowing no flexibility based on the size or nature of the covered entity – the smallest entity would have been required to meet the exact same requirements as the largest and entities that have only limited involvement with sensitive data would have been required to meet the same requirements as entities that control and maintain volumes of such data. After receiving and reviewing a multitude of public comments, the DFS issued revised proposed regulations in December 2016. In addition, the DFS delayed the implementation of the regulations from January 1 until March 1, 2017, to allow for an additional comment period ending on January 27 and provided Covered Entities with a more generous time table in which to comply with the requirements.

While many comments were directed at the definition of a "Covered Entity," which was criticized for being too broad, the DFS did not bend on that issue. Instead, the DFS did expand what Covered Entities would be exempt from the regulations such that smaller entities (less than 10 employees or less than $5 million gross annual revenue for three years or less than $10 million in year-end total assets) and entities that lack certain involvement with "Information Systems" or "Nonpublic Information" (both of which are defined terms in the regulations) would not be subject to some or all of the regulations.

DFS also modified its data breach reporting requirements. Instead of requiring the notification no later than 72 hours "after becoming aware of" a cyber breach, the regulations now require notification no later than 72 hours "from a determination that a cybersecurity event"¦occurred." DFS also modified what was included as a "cybersecurity event" to include only those events where the entity is otherwise required to provide notice to another governmental/regulatory body or agency or if the event has a "reasonable likelihood" of causing harm to any material part of the normal operations of the Covered Entity.

The regulations were also modified to address the concern that they were a "one size fits all" solution in a world where information and data security systems are highly varied for different entities. The regulations now permit a Covered Entity to perform its own risk assessment and focus its response more on the risks particular to its business.

There were several additional modifications or clarifications as well to issues such as the CISO requirement (DFS clarified that entities did not have to hire a new executive but could appoint an existing employee to that position) and the vendor issue (entities do not have to "monitor" their third-party vendors, but must still have in place written policies and procedures for how information is shared with third-party vendors).

For Covered Entities, the revised regulations certainly provided some relief and there will certainly be continued monitoring of the DFS' reaction to the comments to the revised regulations. The revisions made so far seem to reflect the DFS' willingness to allow some flexibility while maintaining structure to the regulations. In fact, the DFS regulations are viewed as some of the most detailed cybersecurity regulations throughout the country – state or federal – and many are watching to see if similar versions of the regulations make their way to other governmental bodies.

The FTC Continues to Explore Its Roles as Administrative Enforcer of Data Security

Last year we provided several updates on the Federal Trade Commission (FTC) and its dispute with LabMD Inc. In that case, the company was accused of leaving customers' names, Social Security numbers, dates of birth and personal health insurance information exposed on publicly accessible file sharing networks. The FTC sought to impose sanctions against the company for violating the Federal Trade Commission Act. After the FTC's claims against the company were initially dismissed by an administrative judge, the FTC commissions ruled that the company's failure to employ "basic" security precautions led to an unauthorized disclosure of private medical data that caused "substantial harm" in violation of the Federal Trade Commission Act.

The company appealed the FTC determination to a federal appellate court, which in November of last year granted the company a stay of the enforcement of the FTC's ruling pending a final determination by the court. The stage is now set for the federal court to render its ultimate ruling, which could significantly impact the FTC's role in cybersecurity enforcement and set the matter up for review by the Supreme Court.

Continued Fallout from Spokeo

Last year we also reported several times on the Spokeo v. Robins case. Spokeo was a case decided in May 2016 by the U.S. Supreme Court and involved the issue of what sort of "injury" a plaintiff needed to demonstrate in order to be able to bring a federal lawsuit. Specifically, the question was whether it was enough to demonstrate simply that the defendant violated a provision of a statute or if the plaintiff needed to show some additional "concrete" injury. The case did not directly involve a cybersecurity breach event, but was in the same realm since it did involve privacy issues. Indeed, a primary issue in data breach litigation (including class action claims) is whether a mere data breach involving a plaintiff's personal information is sufficient to permit the plaintiff to bring a lawsuit, or if the plaintiff must demonstrate that there has been some actual harm suffered as a result of the breach – for example, their information being used to open false accounts.

Unfortunately, the Supreme Court did not give the sort of definitive answer on the issue that people anticipated, but instead left the area in a continued murky state that has since led to a number of conflicting decisions by lower courts on exactly what a plaintiff is required to demonstrate in order to maintain a claim. Thus, it remains unclear what a plaintiff must demonstrate to maintain a lawsuit, in particular in a case involving a data breach. Moreover, recent cases have shown a trend of plaintiff's simply taking cases to state courts and potentially avoiding the reach of Spokeo (and its progeny) altogether.

Thus, for individuals whose data has been compromised in a breach and for businesses assessing the potential liabilities of a breach, the landscape remains shifting and uncertain. While Spokeo did not provide the definitive answer for which some people were hoping, the issue remains at the forefront of privacy and data breach litigation – and that hopefully means some more clarity coming in the future as the courts are required to address the issue.