Brian Mund
The Regulation
For most companies, it is only a matter of time before a savvy hacker slips through their Information Technology security infrastructure and accesses material non-public information.[1] Unlike in the past, data breaches now trigger a slew of regulatory hurdles for the victimized company. In recent years, states have overwhelmingly legislated data breach notification laws; as of July 2017, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all legislated notification procedures in the event of a data breach.[2] Moreover, the costs of non-compliance through a failure to notify can be extremely severe. For example, the Target Corporation’s security software registered a cybersecurity incident that its team determined “did not warrant immediate follow-up,” and Target did not report the event.[3] In addition to paying $39 million to settle private lawsuits,[4] Target settled an investigation with 47 Attorneys General by paying $18.5 million and agreeing to implement several advanced cybersecurity protection measures.[5]
A recently promulgated cybersecurity regulation (“Regulation”) by New York’s Department of Financial Services (“DFS”) promises to catapult data notification requirements forward. The Regulation covers a wide swath of the financial services sector and promises to affect an even wider range of companies.[6] By requiring adequate cybersecurity standards for affiliates and third party providers, the DFS Regulation will redefine cybersecurity protection standards across the country. However, the Regulation as currently written contains a gap that allows savvy companies to manipulate the timeline for notification compliance. As currently written, the DFS Regulation contains a loophole for the 72-hour reporting limit. When assessing the Regulation as a whole, one finds that a thoughtful cybersecurity compliance structure could grant a company substantially more time in the event of a potential data breach. The DFS should eliminate this gap quickly and effectively, before other states incorporate the DFS language in their own regulatory regimes.
The Gap
The Regulation’s 72-hour notification countdown does not begin at the time that the potential breach took place, nor even at the time that a potential data breach was detected. The DFS Regulation § 500.17(a) states: “Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred [.]”[7] Thus, the 72-hour time period begins at the time from which the company issues a “determination” that a “Cybersecurity Event” has occurred. A “determination” connotes a high standard of certainty, and goes far beyond mere suspicion of a potential cybersecurity incident. The definition of “determination” is instructive in this regard: the New Oxford American Dictionary defines “determination” as “the process of establishing something exactly, typically by calculation or research.”[8] However, one only reaches a point of exactitude after investigative research. Therefore, a determination transpires at some unspecified time after the initial detection of a potential cybersecurity breach. The current Regulation impliedly enables a regulated entity’s response to disentangle these two events into discrete stages—initial detection and determination—creating a buffer extending the time before the Regulation’s 72 hours begin tolling.
This distinction between the initial detection and the later determination of a cybersecurity event is not simply a fanciful fabrication. For example, the New York State Office of Information Technology Services implicitly acknowledges these two different stages within its publicized Information Technology Standard. The Information Technology Standard for Cyber Incident Response advises that “[i]t is important to recognize that not every network or system event will be a security incident. A first responder must be assigned to determine if there is an incident, categorize the incident and escalate as necessary.”[9] In other words, the mere reported detection of a system irregularity does not and should not automatically translate into a determination of a cybersecurity incident. Rather, an incident response requires a sequential process where a suspicious activity or network irregularity is first identified and then subsequently analyzed for a potential determination that a “Cybersecurity Event” has transpired. Evidently, New York State—the very same state government responsible for the DFS Regulation—distinguishes between event detection and determination. The initial detection results in the transmission of an initial detection report to a first responder capable of determining whether the event amounts to a “Cybersecurity Event.” Therefore, one cannot reasonably identify the initial detection report as the “determination” point triggering the 72-hour notification requirements outlined in Section 500.17.
The Solution
If the DFS truly desires a 72-hour maximum response period between the time of initial detection and the time of notification, then the DFS should modify the text of the Regulation to say so. Rather than granting 72 hours from the time of a determination, the clock should begin at the time of initial detection. HIPAA provides useful guidance in this regard. Under HIPAA, “A covered entity shall, following the discovery of a breach of unsecured protected health information … notify the Secretary.”[10] Thus, HIPAA identifies the time of discovery as the point at which the notification requirements begin tolling. Moreover, the HIPPA Statute provides that the 60-day reporting timeframe begins either during the first day that the covered entity initially detects a breach or should have reasonably known that a breach had occurred. [11] Unlike a determination, a discovery does not require a proactive determinative step. To discover something, one needs to merely “become aware of a fact or situation.”[12] By using a discovery trigger for a data breach, a covered entity would be responsible from the time that an entity initially uncovered information suggesting an attempted breach, regardless of the speed at which the covered entity actually processes that information. The DFS should adopt the discovery language used in HIPAA and adjust the Regulation to begin tolling from a baseline time of discovery. In short, DFS Regulation 500.17(a) should instead read: “[e]ach Covered Entity shall notify the [DFS] superintendent as promptly as possible but in no event later than 72 hours from a discovery that a Cybersecurity Event has occurred.” This improvement would eliminate the opportunity for delaying tactics through manipulating the point at which a covered entity makes a determination of a “Cybersecurity Event.”
[1] Alice LaPlante, Preparing For The Inevitable Data Breach: What Should SMBs Do?, Forbes (Nov. 16, 2016, 4:12 P.M.), https://www.forbes.com/sites/centurylink/2016/11/16/preparing-for-the-in….
[2] Security Breach Notification Laws, Nat’l Conf. St. Legislatures, (Apr. 12, 2017), http://www.ncsl.org/research/telecommunications-and-information-technolo….
[3] Elizabeth A. Harris & Nicole Perlroth, Target Missed Signs of a Data Breach, N.Y. Times, (Mar. 13, 2014), https://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-dat…
[4] Allison Grande, Target Pays $39M To Settle Card Issuers’ Data Breach Claims, Law 360 (Dec. 2, 2015, 12:39 P.M.), https://www.law360.com/articles/733321/target-pays-39m-to-settle-card-is….
[5] See In the Matter of Investigation by Eric T. Schneiderman, Attorney General of the State of New York, Assurance No. 17-094, May 15, 2017, https://ag.ny.gov/sites/default/files/nyag_target_settlement.pdf.
[6] Jason Wool, Not A Bank Or Insurer? The Ny Department Of Financial Services Cyber Regulations Could Still Apply To You, ZwillGen Blog (Mar. 27, 2017), http://blog.zwillgen.com/2017/03/27/ny-dfs-cyber-regulations.
[7] DFS Cybersecurity Requirements, § 500.17(a). The full text of § 500.17 reads:
(a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following:
(1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
(2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.
[8] New Oxford American Dictionary
[9] IT Standard: Cyber Incident Response, N.Y. State Office Info. Tech. Servs. NYS-S13-005 (Mar. 10, 2017), https://its.ny.gov/sites/default/files/documents/nys-s13-005_cyber_incid….
[10] 45 C.F.R. § 164.408(a).
[11] 45 C.F.R. § 164.408(a)(2).
[12] New Oxford American Dictionary