Privacy & Data Security Law News

New York Bank Cyber Rule Deadline Signals Enforcement Risk (1)

Jan. 16, 2020, 5:00 PMUpdated: Jan. 16, 2020, 7:48 PM

New York financial companies may face their first fines under state cybersecurity rules following an April 15 compliance deadline, attorneys said.

Firms including Equifax Inc., Bank of New York Mellon Corp., and American Express Banking Corp., must show by the deadline they have cybersecurity protections in place, that consumer data is safe from hackers, and that they routinely check their systems for weaknesses, under the rules.

The state Department of Financial Services’ April 15 deadline is a reminder to financial firms that they have the next three months to bolster their systems before it’s too late to avoid fines under the first-in-the-nation state cybersecurity rules, attorneys said.

There likely will be “a significant increase” in enforcement after the deadline, said Avi Gesser, a principal member of Davis Polk & Wardwell LLP’s cybersecurity practice, who represents companies and financial institutions. State enforcers are “staffing up” ahead of the deadline, he said.

The state agency “likely within months” of the deadline will take its first actions, said Joseph Moreno, a cybersecurity partner at Cadwalader, Wickersham & Taft LLP who represents companies on banking issues. The actions may include fines, license suspensions or directives to stop unsafe practices, he said.

The state financial services department declined to comment. The agency hasn’t disclosed the size of any fines it may issue.

As the world’s financial capital, New York is under constant threat from cybercriminals seeking a massive payday. The 2017 Equifax data breach, which exposed the data of 143 million Americans, highlights the risk.

The threats prompted the state financial services agency to issue cybersecurity rules in March 2017. Nearly three years later, the agency has yet to issue fines under the rules, though it did sign a consent order with Equifax in June 2018.

The enforcement lull is tied to the agency updating rules and allowing a transition period for company preparations, attorneys said. But the agency this year is primed to “make an example of those who commit technical violations,” having given banks the time to get into compliance, Moreno said.

The agency is “likely to have a particularly low tolerance going forward for covered entities that have been warned of the threat and nonetheless fail to put adequate safeguards and notification procedures into place,” he said.

Companies shouldn’t panic, but they “should take stock where they are,’' said Luke Dembosky, co-chair of Debevoise & Plimpton LLP’s cybersecurity and data privacy practice. “Stay on top of the program and be ready for any inquiries.”

Companies’ senior management and boards should reassess cybersecurity protections and compliance with the rules, Dembosky, who represents companies and financial institutions on privacy and cybersecurity issues, said.

Financial companies also should make sure they are aware of new cybersecurity threats, attorneys said. Recent alerts about Iranian hacking are a reminder to have adequate protections, they said.

(Updates with agency comment declination.)

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: John Hughes at jhughes@bloomberglaw.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in. To learn more about a subscription click here.