The media reports of attacks on financial services organizations, from banks as large as JPMorgan Chase to one and two-person broker-dealers, are too numerous to list here. The recent financial information breaches have led the Financial Industry Regulatory Authority (FINRA), the Commodities Futures Trading Commission, and the Securities and Exchange Commission to promulgate or update regulations concerning protection of financial data. The Gramm-Leach-Bliley Act, which mandates certain confidentiality controls for consumer financial information, has not been updated in recent years, but in 2016 the Federal Trade Commission, which enforces this statute, sought comments to its draft revision of the FTC Safeguards Rule that would require measures to keep customer information secure. Yet, if the acquirer only asks about compliance with regulation by these federal agencies, the acquirer may be missing a potentially significant risk of exposure to state proceedings.
As in the case of healthcare data, financial data protection has been the subject of numerous investigations by state attorneys general. Attorneys General of Maryland, New York, California, and several other states launched investigations in the wake of the massive breach of credit card information from Home Depot in 2014. The New York Attorney General participated in a multi-state settlement with TD Bank over a breach of the data of 260,000 customers, 31,407 of whom were from New York. California’s experience with data breaches led to a comprehensive breach report released in February, 2016 and the promulgation of minimum security standards cited in the previous paragraph.
The New York Department of Financial Services (NYDFS) has conducted audits of financial services organizations under its jurisdiction since March of 2015, initially with a cybersecurity questionnaire. Organizations under the jurisdiction of NYDFS include banks, investment companies, credit unions, insurers, and upwards of 2,200 other companies.
In September 2016, New York’s Governor Andrew Cuomo announced that the NYDFS proposed cybersecurity regulations would go into effect following a 45-day comment period unless modified. They would require covered financial services organizations to:
Prepare and implement a written information security plan and train the work force on that plan;
- Establish a clear breach response protocol and report certain breaches to NYDFS;
- Designate a Chief Information Security Officer;
- Prepare detailed policies and procedures to monitor the security safeguards of third-party service providers;
- Implement multi-factor authentication;
- Perform quarterly vulnerability assessments and annual penetration analyses; and
- Maintain an audit trail system that would log access to critical systems and system events including alterations to the audit trail systems.
General Information Safeguards at the State Level Continue to Evolve
Privacy and information security requirements in many states cover regulated information in categories beyond healthcare and financial information and may, in fact, be stricter than federal information safeguards. In the case of healthcare, following the 2013 effective date of the Omnibus Final Rule, state attorneys general may decide whether to proceed under these state provisions or to bring proceedings for violations of the HIPAA Privacy or Security Rules. The Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.03), discussed in further detail below, mandates precise safeguards for the protection of sensitive personal information that falls into several categories, including financial data. The Office of the Massachusetts Attorney General has brought a number of proceedings under these regulations.
In February 2016, the Office of the Attorney General of California, a state that has long been a leader in security and privacy safeguards, adopted the 20 security controls of the Center for Internet Security’s Critical Security Controls as “a minimum level of information security that all organizations that collect or maintain personal information should meet.” These safeguards provide more comprehensive security safeguards than the CMIA (which comprises mostly privacy protections). The Attorney General’s February 2016 report states that these controls are a standard for information protection in California: “The failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security.” It is possible that the