It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  Upon adoption by the NAIC, the NYSDFS regulations requiring that NYS financial organizations have in place a written and implemented cyber security program will gain further traction toward setting a nationwide standard for cyber security and breach notification.  Indeed, although there are differences, the NAIC drafters emphasized that any Licensee in compliance with the NYSDFS “Cybersecurity Requirements for Financial Services Companies” will also be in compliance with the model law.

The NAIC Working Committee expressed a preference for a uniform nationwide standard: “This new model, the Insurance Data Security Model Law, will establish standards for data security and investigation and notification of a breach of data security that will apply to insurance companies, producers and other persons licensed or required to be licensed under state law. This model, specific to the insurance industry, is intended to supersede state and federal laws of general applicability that address data security and data breach notification. Regulated entities need clarity on what they are expected to do to protect sensitive data and what is expected if there is a data breach.  This can be accomplished by establishing a national standard and uniform application across the nation.”  Other than small licensees, the only exemption is for Licensees certifying that they have in place an information security program that meets the requirements of the Health Insurance Portability and Accountability Act.  According to the Committee, following adoption, it is likely that state legislatures throughout the nation will move to adopt the model law.

The model law is intended to protect against both data loss negatively impacting individual insureds, policy holders and other consumers, as well as loss that would cause a material adverse impact to the business, operations or security of the Licensee (e.g., trade secrets).  Each Licensee is required to develop, implement and maintain a comprehensive written information security program based on a risk assessment and containing administrative, technical and physical safeguards for the protection of non-public information and the Licensee’s information system.  The formalized risk assessment must identify both internal threats from employees and other trusted insiders, as well as external hacking threats.  Significantly, the model law recognizes the increasing trend toward cloud based services by requiring that the program address the security of non-public information held by the Licensee’s third-party service providers.  The model law permits a scalable approach that may include best practices of access controls, encryption, multi-factor authentication, monitoring, penetration testing, employee training and audit trails.

In the event of unauthorized access to, disruption or misuse of the Licensee’s electronic information system or non-public information stored on such system, notice must be provided to the Licensee’s home State within 72 hours.  Other impacted States must be notified where the non-public information involves at least 250 consumers and there is a reasonable likelihood of material harm.  The notice must specifically and transparently describe, among other items, the event date, the description of the information breached, how the event was discovered, the period during which the information system was compromised, and remediation efforts.  Applicable data breach notification laws requiring notice to the affected individuals must also be complied with.

New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies.  Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018 and have in place a written cybersecurity program by April 4, 2018. The program must identify and assess internal and external cybersecurity risks that may threaten non-public information, including personally identifying consumer information. The program must include provisions that address data governance and classification, asset inventory and device management, access control and identity management, systems and network security and monitoring, as well as other mandated areas.

Because the elements required to be addressed in the program are comprehensive, credit reporting agencies should begin the process of developing the program now to meet the April 4, 2018 deadline. Once the program is in place, moreover, the regulations also mandate phase in implementation dates for additional minimum protective standards that must be met.  These include requirements for annual penetration testing, bi-annual vulnerability assessments, limitations on data retention, encryption of non-public information and system generated audit trails to detect and respond to cybersecurity events.

Each agency must conduct a risk assessment of its information systems to include criteria for the evaluation and categorization of identified internal and external threats facing the organization. The risk assessment must describe how identified risks will be mitigated or accepted and how the program will address those risks.  Significantly, the risk assessment must not only address external hacking threats, but also require the identification and mitigation of risks posed by employees and other insiders, such as trusted vendors and independent contractors.  For example, employees who remotely access internal networks must be subject to multi-factor authentication or other “reasonably equivalent or more secure access controls.”

Each organization must also designate a qualified person as a Chief Information Security Officer responsible for implementation and enforcement of the program. The CISO will ultimately be responsible for responding to requests for “examination by the Superintendent of Financial Services as often as the Superintendent may deem it necessary.”  There are also breach notification requirements, as well as a mandate that the Board of Directors or a Senior Officer annually certify compliance with the cybersecurity regulations.  Failure to comply may result in revocation of the agency’s authorization to do business with New York’s regulated financial institutions and consumers.

Stay tuned to whether New York State’s call to action takes hold across the nation. In the meantime, you may find the governor’s press announcement by clicking here.

Employers across all industries are deep in the midst of exciting but unchartered and fluid times. Rapid and unforeseen technological advancements are largely responsible for this dynamic. And while there is a natural tendency to embrace their novelty and potential, the reality is that these advancements are often outpacing our regulatory environment, our bedrock legal constructs, and, in some cases, challenging the traditional notions of work itself.

For employers, this presents numerous challenges and opportunities—from the proper design of the portfolio of the modern workforce, to protecting confidential information in an increasingly vulnerable digital world, to managing resources across less and less predictable borders, and to harnessing (while tempering the power of) intelligence exhibited by machines.

The time is now (if not yesterday!) to develop a long-term strategy to help navigate these current issues and anticipate the challenges and opportunities of the future.

The articles in this Take 5 include:

  1. Embracing the Gig Economy: You’re Already a Player in It (Yes, You!)
  2. AI in the Workplace: The Time to Develop a Workplace Strategy Is Now
  1. Best Practices to Manage the Risk of Data Breach Caused by Your Employees and Other Insiders
  1. News Media Companies Entering the Non-Compete Game
  1. Employers Dodge Bullet in Recent U.S. Supreme Court Travel Ban Order

Read the full Take 5 online or download the PDF.

Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.