Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing?

Opinion: Judith Germano recently wrote an article in Forbes entitled “Proposed NY Cybersecurity Regulation: A Giant Leap Backward?”  We covered these Proposed Department of Financial Services Regulations (“DFS”) in a couple of previous posts; “N.Y. Regulators Consider Cybersecurity Requirements for Banks and Insurers” and “New York: Proposed Regulations for Cybersecurity come up Short” and some of the insights in Germano’s article are similar to positions that we posited.  However, our analysis differed in a few key areas.  Germano’s article states that mandates imposed at the state level make things too difficult for businesses, resulting in a patchwork of rules and regulations that vary across jurisdictions.  Germano also argues that this makes it difficult to do business and that trying to keep track of these myriad regulations is fractured and ineffective.

Germano posits that the NY DFS approach is flawed for two specific reasons: (1) this will result in the same scenario we see with breach notification laws where instead of a single federal statutory guideline we have 47 data breach notification laws — making it harder for businesses to operate in multi-jurisdictional settings; and (2) cybersecurity is not a one-size fits all approach but rather should be individualized and particularized in order to be effective and feasible.

While I would concur that the situation we are now faced with, wherein there are 47 different breach notification laws, is far from ideal, it is conceivably better than nothing.  While it would be easier for businesses to comply with breach notification regulations if there were fewer (or one national); it would certainly be more harmful to consumers if none existed.  The point being, that while enough time has passed for 47 different breach notification laws to have been enacted, there is still no movement on the Federal level.  Consequently, without the individual breach notification statutes we would face a situation where consumers were unprotected, having no breach notification laws whatsoever. While this scenario might be beneficial for businesses it would provide little comfort for those whose personally identifiable information (“PII”) is, or was, subject to a breach.

Germano’s second point is further elucidated and she states that cybersecurity has to be individualized and should not apply broadly across all systems.  However, Germano also asserts that frameworks created by organizations such as the National Institute of Standards and Technology (“NIST”) and the Federal Trade Commission (“FTC”) can be helpful and provide a baseline while acknowledging that there is no single approach that can be applied to cybersecurity across all industries.

So, on the one hand Germano states that a federal approach is the best course of action so that individual states are not legislating in this area.  While on the other hand, Germano advocates for a specialized and particularized application to meet the needs of the specific industry or segment. Any points raised with respect to having sufficient resources to monitor and coordinate enforcement of the NY DFS regulations are countered by Germano’s own argument that cybersecurity should be individualized instead of using a unified approach across all entities.  One can only presume that such an approach would require even greater resources since evaluations would have to be conducted at a more micro rather than macro level thus making a much more resource-intensive process merely to determine which regulations should apply to an entity (leaving issues of enforcement unclear as well).  So too, the process of monitoring and enforcement would then be dependent on the entities regulations, further adding to the complexity of such a scheme.  Germano makes the point that while penetration (“PEN”) testing, end-to-end encryption, multi-factor authentication (“MFA”), and logging tools are valuable these are not viable options for some companies since it would divert funds that could be used for other security purposes.

I do agree with the overall framework approach and with entities being able to determine which portions of the framework can and should be adopted and applied to their internal IT/IS systems. It is important to have a common scheme from which regulators and companies can operate within.  The question then becomes how do the regulators match the framework components with the individual companies?  If history has taught us nothing with respect to businesses and cost allocations, it is that businesses will adopt the least-cost approach in order to achieve reduced liability sufficient to balance the costs of security with the potential cost of litigation, loss of goodwill, or general loss of business. This is not to say that businesses are somehow opposed to security measures but merely that they have goals which differ from the government and regulators, specifically.  The goal of the business is to maximize profits and shareholder value so their ultimate objective will likely never be to maximize the protection of PII.  Thus, if left to their own devices, they will merely determine the minimum level of cybersecurity protection that must be implemented in order to reduce their potential liability to acceptable levels.

In a regulated environment there is certain to be burdens imposed on entities that they may feel are onerous or cumbersome; such is the case with any regulatory agency — that is simply the nature of the beast.  Also, I certainly concur that having a national approach to these issues is the far better course of action.  However, Congress’s failure to pass a federal breach notification statute does not bode well for their ability to take on a national cybersecurity standard either. Therefore, in the absence of clearly delineated unitary and mandatory regulations, what choice do States really have?  Can State legislatures sit idly by waiting for Congress to act?  That seems ludicrous. As part of the State police power they have the authority and some might argue are therefore mandated to act in this current vacuum.  Is it the best-case scenario? Absolutely not; but then in life and certainly in legislation, few things are.

Therefore, while federal legislative efforts in both data breach as well as cybersecurity areas should be the ideal, we must acknowledge that we do not live in an ideal world (and if we did we very likely would not need legislation to regulate data breach notifications or cybersecurity …).  Given the realities that we face it seems the more prudent course of action would be to have some (e.g. data breach notification laws enacted in 47 jurisdictions) rather than none (e.g. zero federal data breach notification statutes) in place.  So while far from ideal and while our previous post went into some detail discussing the issues with the NY DFS regulations, it is comforting in some small part, to see legislators at least attempting to put something on the books.

Share:

Tags: ,

One Response to “Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing?”

  1. […] Banks and Insurers”, “New York: Proposed Regulations for Cybersecurity come up Short”, and Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing?  This topic was also covered by Judith Germano’s article —  Proposed NY […]

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Christopher w. FolkChristopher W. Folk

is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Ryan D. White

Ryan D. WhiteRyan is currently a second year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.Full biography

Anna Maria Castillo

is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories