NYS Department of Financial Services Rules in Effect
Monday, February 27, 2017
Posted by: Mary Mack
Security audits will become tougher for law firms and ediscovery companies who serve NY Financial firms.
While the NYS Cyber Rules (23 NYCRR 500), effective March 1, 2017, were expected to cover financial institutions, it may come as a surprise that in addition to financial data, health related information is also protected. Third party suppliers who serve covered entities have a special section devoted to their responsibilities. These responsibilities span multi-factor authentication, encryption, breach notice, representations and warranties about securing Nonpublic Information.
The regulation provides in part:
Section 500.11 Third Party Service Provider Security Policy.
(a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:
- the identification and risk assessment of Third Party Service Providers;
- minimum cybersecurity practices required to be met by such Third Party Service Providers in orderfor them to do business with the Covered Entity;
- due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and
- periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.
(b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing:
- the Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information;
- the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
- notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and
- representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.
(c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.
The nonpublic information covered by the Rules includes:
(g) (2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records;
(g) (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.
Read the regulation here