With cybersecurity legislation and regulation sweeping the country in response to a series of high-profile hacking and ransomware attacks, it came as no surprise that cybersecurity was a topic at the recently concluded Conference on Legal Issues and Regulatory Compliance. of the Mortgage Bankers Association. One of the main contributions of the conference was that providers and service providers with consumer-oriented platforms that collect personal information should review their cybersecurity policies immediately. Simply waiting for an investigation, an investigation or a breach of the agency can lead to serious financial and reputational consequences.
To illustrate this point, a keynote speaker at the conference pointed to the enforcement action initiated in July 2020 by the New York State Department of Financial Services (DFS) against a leading title insurance company, alleging violations of DFS Cybersecurity Regulation 23 (NYCRR 500)). Among other things, the 500 Regulation requires that most financial institutions and other regulated companies operating in New York have a robust, well-written, regularly written cybersecurity program. The program should also include a plan for responding to and recovering from cybersecurity incidents and trained cybersecurity personnel. Covered entities must also submit a certificate of compliance to DFS. Failure to comply with the mandates of Regulation 500 imposes penalties on violators of $ 1,000 per incident.
DFS alleged that the insurer did not follow its own cybersecurity policy after a vulnerability in its system exposed millions of files containing personal information of consumers, including bank and social security numbers. DFS further alleged that the insurer erroneously classified the vulnerability as “severely” serious; has not conducted a reasonable investigation into the scope and cause of the exposure; did not use cybersecurity staff; and falsely certified compliance with the 500 rule. A hearing is scheduled for August this year.
All companies collecting personal consumer data should take this enforcement action into account and adopt the following best practices:
- Follow written cybersecurity programs;
- Conduct periodic risk assessments to detect vulnerabilities and update cybersecurity programs accordingly;
- Do not underestimate the level of risk associated with a vulnerability;
- Train and use cybersecurity staff; i
- Comply with representations about cybersecurity programs.
If you are unsure whether your organization is complying with cybersecurity laws, such as Rule 500, you should contact a qualified legal professional to make an assessment as soon as possible. Aside from DFS and the Federal Trade Commission, agencies such as the Consumer Financial Protection Bureau and the Securities & Exchange Commission have shown a greater appetite to regulate and implement digital practices and risks. Now is the time to ensure that your organization meets the requirements.