Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing?
Opinion: Judith Germano recently wrote an article in Forbes entitled “Proposed NY Cybersecurity Regulation: A Giant Leap Backward?” We covered these Proposed Department of Financial Services Regulations (“DFS”) in a couple of previous posts; “N.Y. Regulators Consider Cybersecurity Requirements for Banks and Insurers” and “New York: Proposed Regulations for Cybersecurity come up Short” and some of the insights in Germano’s article are similar to positions that we posited. However, our analysis differed in a few key areas. Germano’s article states that mandates imposed at the state level make things too difficult for businesses, resulting in a patchwork of rules and regulations that vary across jurisdictions. Germano also argues that this makes it difficult to do business and that trying to keep track of these myriad regulations is fractured and ineffective.
Germano posits that the NY DFS approach is flawed for two specific reasons: (1) this will result in the same scenario we see with breach notification laws where instead of a single federal statutory guideline we have 47 data breach notification laws — making it harder for businesses to operate in multi-jurisdictional settings; and (2) cybersecurity is not a one-size fits all approach but rather should be individualized and particularized in order to be effective and feasible.
While I would concur that the situation we are now faced with, wherein there are 47 different breach notification laws, is far from ideal, it is conceivably better than nothing. While it would be easier for businesses to comply with breach notification regulations if there were fewer (or one national); it would certainly be more harmful to consumers if none existed. The point being, that while enough time has passed for 47 different breach notification laws to have been enacted, there is still no movement on the Federal level. Consequently, without the individual breach notification statutes we would face a situation where consumers were unprotected, having no breach notification laws whatsoever. While this scenario might be beneficial for businesses it would provide little comfort for those whose personally identifiable information (“PII”) is, or was, subject to a breach.
Germano’s second point is further elucidated and she states that cybersecurity has to be individualized and should not apply broadly across all systems. However, Germano also asserts that frameworks created by organizations such as the National Institute of Standards and Technology (“NIST”) and the Federal Trade Commission (“FTC”) can be helpful and provide a baseline while acknowledging that there is no single approach that can be applied to cybersecurity across all industries.
So, on the one hand Germano states that a federal approach is the best course of action so that individual states are not legislating in this area. While on the other hand, Germano advocates for a specialized and particularized application to meet the needs of the specific industry or segment. Any points raised with respect to having sufficient resources to monitor and coordinate enforcement of the NY DFS regulations are countered by Germano’s own argument that cybersecurity should be individualized instead of using a unified approach across all entities. One can only presume that such an approach would require even greater resources since evaluations would have to be conducted at a more micro rather than macro level thus making a much more resource-intensive process merely to determine which regulations should apply to an entity (leaving issues of enforcement unclear as well). So too, the process of monitoring and enforcement would then be dependent on the entities regulations, further adding to the complexity of such a scheme. Germano makes the point that while penetration (“PEN”) testing, end-to-end encryption, multi-factor authentication (“MFA”), and logging tools are valuable these are not viable options for some companies since it would divert funds that could be used for other security purposes.
I do agree with the overall framework approach and with entities being able to determine which portions of the framework can and should be adopted and applied to their internal IT/IS systems. It is important to have a common scheme from which regulators and companies can operate within. The question then becomes how do the regulators match the framework components with the individual companies? If history has taught us nothing with respect to businesses and cost allocations, it is that businesses will adopt the least-cost approach in order to achieve reduced liability sufficient to balance the costs of security with the potential cost of litigation, loss of goodwill, or general loss of business. This is not to say that businesses are somehow opposed to security measures but merely that they have goals which differ from the government and regulators, specifically. The goal of the business is to maximize profits and shareholder value so their ultimate objective will likely never be to maximize the protection of PII. Thus, if left to their own devices, they will merely determine the minimum level of cybersecurity protection that must be implemented in order to reduce their potential liability to acceptable levels.
In a regulated environment there is certain to be burdens imposed on entities that they may feel are onerous or cumbersome; such is the case with any regulatory agency — that is simply the nature of the beast. Also, I certainly concur that having a national approach to these issues is the far better course of action. However, Congress’s failure to pass a federal breach notification statute does not bode well for their ability to take on a national cybersecurity standard either. Therefore, in the absence of clearly delineated unitary and mandatory regulations, what choice do States really have? Can State legislatures sit idly by waiting for Congress to act? That seems ludicrous. As part of the State police power they have the authority and some might argue are therefore mandated to act in this current vacuum. Is it the best-case scenario? Absolutely not; but then in life and certainly in legislation, few things are.
Therefore, while federal legislative efforts in both data breach as well as cybersecurity areas should be the ideal, we must acknowledge that we do not live in an ideal world (and if we did we very likely would not need legislation to regulate data breach notifications or cybersecurity …). Given the realities that we face it seems the more prudent course of action would be to have some (e.g. data breach notification laws enacted in 47 jurisdictions) rather than none (e.g. zero federal data breach notification statutes) in place. So while far from ideal and while our previous post went into some detail discussing the issues with the NY DFS regulations, it is comforting in some small part, to see legislators at least attempting to put something on the books.