Over the last two years, the states of California and New York issued new regulations regarding data privacy and cybersecurity. Both rules will have far reaching impacts across the United States, and in the case of New York’s 23 NYCRR 500, across the entire financial services sector. This column offers an overview of both regulations, discusses their high-level impact, and provides guidance on how to best deal with the downstream consequences of these new regulations.
New York’s 23 NYCRR 500
Adopted on March 1, 2017, 23 NYCRR 500 is fully in force as of March 1, 2019 (see Exhibit 1). It is a far-reaching regulation, as it affects not only New York–based banking, financial services, and insurance (BFSI) institutions, but also almost every foreign-based BFSI firm, since New York City is the world’s financial capital. Businesses violating this regulation are subject to the full force of the Superintendent of Financial Services’ authority, up to the revocation of charter. This provides wide-ranging and potentially disruptive powers to the superintendent; thus, the possible consequences of noncompliance cannot be ignored when assessing a BSFI client’s risk.
23 NYCRR 500 Highlights
- “All firms operating under license, registration, charter, certificate, permit, accreditation, … under Banking Law, the Insurance, Law or Financial Services Law” [New York State Department of Financial Services 23 NYCCRR section 500.01(c)]
- Types of information covered: nonpublic information, including Social Security number, driver’s license number, banking account number, credit card number, debit card number, biometric records, and any security code, access code, or password [section 500.01(g)(2)]
- Establishment of cybersecurity policy, including information security, data governance and classification, access control and identity management, multifactor authentication for externally sourced access to nonpublic information, limitation on data retention, encryption of nonpublic information (both in-flight and at rest), business continuity/disaster recovery plans and resources, systems and network security monitoring, physical security and environmental controls, annual penetration testing, and biannual vulnerability assessments
- Third-party provider security policy, mandatory for all third-party providers who have access to systems containing nonpublic information
- Notification of a cybersecurity event within 72 hours from identification of same if the event requires notice to a government body, self-regulating agency, or other supervisory body, or if the event has a reasonable likelihood of materially harming normal operations
Exemptions [section 500.19(a)(1)-(3)]
- Firms with fewer than 10 total employees (New York affiliates with fewer than 10 employees are not exempt)
- Firms with less than $5 million in gross annual revenue for each of the last three fiscal years from New York business operations
- Less than $10 million in year-end total assets, including all affilates per GAAP
- Enforced by the Superintendent of Financial Services, pursuant to the superintendent’s authority under the law
In addition, auditors will have to deal with various personally identifiable information (PII), payment card industry information (PCI), and even potentially protected healthcare information (PHI). Furthermore, clients will be serving their own best interests by engaging external auditors as members of the biannual assessment team. An auditor’s independent view of a client’s environment will be a critical factor in keeping a business in compliance.
The California Consumer Privacy Act of 2018 (CCPA), enacted by plebiscite, is currently in effect, but will not be fully enforced until July 1, 2020 (see Exhibit 2). One important factor in understanding the grave risk of noncompliance is that the courts are likely to construe the law liberally in their efforts to enforce it. Second, customers will have the right to seek legal redress in small claims court, as well as the regular courts, and will be able to file class actions without harming their ability to recover damages. Third, the penalties will accrue on a per-incident/event basis, not on a per-person basis. In other words, if 10 customer data elements are sold against the customer’s wishes, the company will receive 10 penalties. While businesses will use the courts to try to aggregate and minimize the cost of the penalties, the courts, having been instructed within the law itself (section 1798.194) to treat it liberally, will not easily be convinced to do so. In the wake of the Cambridge Analytica scandal (the impetus for the law’s passage), one can easily see how the penalties can quickly add up.
- All entities doing business with California residents, even if the business is conducted outside of California in part (there is an exemption for business transactions that take place fully outside of California)
- Specific rights of Californians [CCPA section 2(i)]:
- Right to know what personal information is being collected about the individual
- Right to know if personal information is sold or disclosed to a third party, and the right to know the name of the third party
- Right to refuse the sale of personal information to a third party
- Right to access all one’s own personal information and the information of minors in one’s custody
- Right to receive equal service and price, even if the person exercises privacy rights
- Liberal construction—the law shall be liberally construed (by the courts) to effectuate its purposes (section 1798.194)
- Web-based enforcement requirement around a “clear and conspicuous link” to a “Do Not Sell My Personal Information” web-page if the business collects client data
- Types of information covered (California Civil Code Title 1.81.5 section 1798.140):
- Personal information, such as real name, alias, postal address, unique identifier, Social Security number, driver’s license number, passport number, IP address, e-mail address
- All other items included in California Civil Code section 1798.80, including signature, physical characteristics or description, telephone number, passport number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
- Commercial information, including property records
- Biometric and psychometric data
- Internet or other electronic network activity
- Browsing and search history
- Information about interaction with a website
- Geolocation data (GPS)
- Audio, electronic visual, thermal, and olfactory data
- Professional and employment data
- Inferred data from any of the above
- Consumer side—penalties as set forth by the law; not less than $100 or greater than $750 per data record (incident) or actual damages, whichever is greater (section 1798.150)
- State side—intentional violations subject to a $7,500 fine per incident
When auditing companies that do business with California residents, CPAs should ask the following questions:
- Has the company updated its website to reflect CCPA requirements?
- Does the company have adequate controls in place to protect the CCPA definition of “private information?
- Does the company understand that PI in CCPA means PII, PCI, and PHI?
- Has the company enabled custodial control of minors’ data?
- Does the company have the ability to retrieve improperly sold customer data?
- Has anyone recommended data minimization or data anonymization? If so, how did the company react?
Concerns over digital privacy and security are likely to remain a priority for state and federal regulators for the foreseeable future. CPAs in New York and California should familiarize themselves with these new regulations and prepare their clients for the adjustments they will need to make to be compliant.