New York’s Cybersecurity Requirements for Financial Service Companies

New York was concerned that companies with sensitive data, such as people’s banking information, social security numbers and other financial records could be unlawfully accessed by hackers (other nations, individuals, companies). The New York Department of Financial Services (“DFS”) has promulgated regulations entitled the “Cybersecurity Requirements for Financial Services Companies” which can be found at 23 NYCRR 500.

The regulation applies to “Covered Entities” which means any person or individual holding a permit or license or otherwise authorized to operate under the New York Banking Law, the Insurance Law or the Financial Services Law. Subject to certain exemptions, discussed briefly below, Covered Entities have to have a Cybersecurity Program, based on a risk assessment that the Covered Entity has to perform, that fulfills the following:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

Additionally, each Covered Entity, unless exempt, has to appoint a Chief Information Security Officer, and adopt a Cybersecurity Policy, addressing the following:

(a) information security;

(b) data governance and classification;

(c) asset inventory and device management;

(d) access controls and identity management;

(e) business continuity and disaster recovery planning and resources;

(f) systems operations and availability concerns;

(g) systems and network security;

(h) systems and network monitoring;

(i) systems and application development and quality assurance;

(j) physical security and environmental controls;

(k) customer data privacy;

(l) vendor and Third Party Service Provider management;

(m) risk assessment; and

(n) incident response.

The regulation also requires other items, such as regular reporting to the DFS, training, confidentiality, encryption and other items.

A Covered Entity may be exempt from some but not all of the requirements of the regulation. Notably, those with fewer than 10 employees (or contractors), or less than $5,000,000 in gross annual revenue in last three year, or less than $10,000,000 in year end total assets (calculated as per GAAP) are exempt from some of the onerous items. Similarly, those that don’t hold any important information and those that are only a related, subsidiary or affiliated persons or entities (that are Covered Entities themselves) that are part of or connected to a Covered Entity that is fulfilling its obligations under the regulation are exempt from other portions of the regulation. New York State DFS provided helpful charts in its FAQ for the regulation available here.

The “Look Back” Requirement of the California Consumer Privacy Act of 2018

So while the California Consumer Privacy Act of 2018 won’t take effect until 2020 (or later depending on when the regulations are issued), when it does go into effect, part of it will require companies who are subject to the act to have kept records of the data collected within the 12 months prior to the effectiveness of the act. This seems a little retroactive in application and its questionable legally of how this will be enforced, but any companies that are doing business in California should be cognizant of the application and time periods here and should have a procedure in place to track what is being collected and from whom. Additionally when the Act does come into effect, the companies will have to inform California consumers about the data that has been collected, how it was used, especially if it was sold to or shared with third parties. Having a procedure in place to track it now is important.

Updates to the California Consumer Privacy Act of 2018

We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then.  While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020.  Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.

There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.

On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.  

The Opportunity in Opportunity Zones

One of the more interesting and useful items to come out of the Tax Cut and Jobs Act of 2018 are the creation of so-called Opportunity Zones. An Opportunity Zone is a particular census tract which the government has designated as a distressed community, and investments in same are entitled to certain benefits vis a vis the investor’s capital gains taxes from such investment. The goal is to stimulate investments into such areas which would not otherwise have occurred. 

The benefits that Opportunity Zones provides are related solely to the timing and possible reduction of an investor’s capital gains taxes. The program won’t apply to ordinary income tax issues, and there are no credits or other type of incentives provided for in the program (its less exciting than some folks originally thought but still a large benefit to the right investors/projects/companies though). The Opportunity Zones program provides for a delay, reduction or elimination of capital gains taxes in three ways as set forth below:

  • First is a temporary tax deferral for any taxpayer who has capital gains but re-invests same, within 180 day time period, into an Qualified Opportunity Fund (discussed below). The gain is deferred but must be recognized on the earlier of the date on which the opportunity zone investment is sold or December 31, 2026 (there is some grey area with respect to holding the investment past December 31, 2026 and hopefully the IRS clears it up). You do not have to live or work in an opportunity zone, you just have to invest in it (in a company located in one or property located in one). IRS came out with this form for these re-investments –  Form 8949
  • Second is a step-up in basis for any capital gains that were invested  (i.e. re-invested) in an Qualified Opportunity Fund. The basis of the original investment is increased by 10% if the investment in the Qualified Opportunity Zone Fund is held by the taxpayer for at least 5 years, and by an additional 5% if held for at least 7 years, excluding up to 15% of the original gain from taxation.
  • Third is a total exclusion (i.e. the investor’s basis is increased to FMV) from taxable income of capital gains from the sale or exchange of an investment (but not the original capital gain which is handled by the second point above) in a Qualified Opportunity Zone Fund if held for more than 10 years.

The Opportunity Zone program allows funds to be set up, called Qualified Opportunity Zone Funds, which funds pool investor money (as a partnership or corporation) for investing in eligible property located in a Qualified Opportunity Zone (a list of such Qualified Opportunity Zones are set out in IRS Notice 2018-48 –  )

To become a Qualified Opportunity Zone Fund, an eligible corporation or partnership self-certifies by filing Form 8996, Qualified Opportunity Fund, with its federal income tax return. Early-release drafts of the form and instructions are posted, with final versions expected in December. The return with Form 8996 must be filed timely, taking extensions into account.

The California Consumer Privacy Act of 2018

So the wave of privacy laws originating in Europe has hit the United States.  On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law (referred to in this post as the “Act” or the “Law”).  It is both similar to, and distinct from, the GDPR.  Companies should absolutely not assume that if they are GDPR compliant, that they would also compliant with the California law.  The California law has broad out of state reach and violations carry serious monetary penalties, including actions from the Attorney General of the State of California, or individuals (either separately or as a class action).   Companies should make sure they are out in front of this law.  The date the Act is set to take effect is January 1, 2020. Read more

Individual Data Subject Rights Under the GDPR

Any company that is subject to the GDPR, among other things, must ensure that it does and can timely comply with requests from any EU data subject with respect to the data subject’s rights under the GDPR, which are:

  1. Right of access – EU data subjects are entitled to know if their data is being processed and if so the terms of same.
  2. Right to rectification – EU data subjects have the right to correct information held by any controller.
  3. Right to erasure – Be ready to completely remove any EU data subject’s personal data from your systems (if anything cannot be removed they need to be told why) upon their request.
  4. Right to restriction of processing – Be ready to restrict certain EU data subject’s personal data from being processed in any manner in which a specific EU data subject states it no longer consents to (even if he/she provided consent for such processing earlier).
  5. Right to data portability – Be ready to provide a copy of each EU data subject’s personal data upon their request, and this can include sending it to the data subject or sending it to a third party. Your company should be able to comply with any request within 30 days at no charge to EU user.
  6. Right to object – Be ready to halt certain activities with respect to the personal data of any EU data subject if notice is provided to you by such EU data subject (this is in addition to the right to restricting processing and prior consent can be modified or taken away at EU data subject’s whim).

Global Scope of the GDPR & Applicability to Companies in the United States

So this is the question that is coming up more and more here in the United States – Does the GDPR apply to our company?

Remember that GDPR was put in place to protect individuals from improper use of their personal data and also to allow them to freely move same, and to enjoy certain other rights with respect to their personal data.  While its reach is broad, the GDPR does not apply to processing of data if it falls outside the scope of EU law (processing for public safety, or government issues is not subject to it). If your company interacts with customers within the EU for purposes of trade, and you you store, process or share EU citizen’s personal data then the GDPR rules apply to your company.  Read more

GDPR’s Restrictions on “Processing” of Personal Data

At the heart of it, the European Union’s new data privacy legislation, the General Data Protection Regulation (“GDPR”), restricts what the company’s that hold or manipulate personal data of individuals can do with it, and what type of consent is required for what acts.  Like all regulations, there are a number of defined terms, which must be understood to grasp the coverage of the GDPR.  In summary it covers a lot of activities that companies may not have thought would be regulated.   Read more

Privacy Law – The EU’s General Data Protection Regulation (GDPR) – Data Breaches

We will be doing a number of posts on the European Union’s General Data Protection Regulation (“GDPR”) as it will be taking effect in May of 2018.  Unlike its predecessor the GDPR is not a directive, but a regulation, meaning that all EU member countries have to comply with its explicit terms (unlike a directive which they are to incorporate into their domestic law).  The GDPR applies to a lot of data, but only that which is “personal data” defined as “any information relating to an identified or indentifiable natural person (‘data subject’)”.

One of the important new aspects of the GDPR versus any European predecessor is that it defines the term “personal data breach”, and sets forth notification requirements to both the jurisdiction and the individuals that were/could be affected by the breach. Read more