Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions. This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies. New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyber attacks each day over the internet, or almost 3 every minute.
The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do. HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.
New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy. In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”). The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body. The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”
Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.