States Are Moving To Fill The Gaps In Federal Regulation. But What Do Businesses Need To Do?

Author: Eric Kaufmann, Esq., Manager

The challenge of cyber and privacy compliance is growing more complex as states increasingly exert influence with either new regulations, or increased enforcement of existing regulation. This dynamic is driven in part by a decrease in regulation at the federal level. Although state-level privacy and data security laws have existed for several years now, they primarily impacted companies not already complying with a federal-level regulatory regime such as HIPAA, NERC-CIP or FFIEC.

Throughout 2017 however, there are several examples of states passing laws that go beyond federal level requirements; as well as examples of states becoming more aggressive in enforcement of existing laws. All of this adds up to a significantly changed regulatory landscape from just a year ago. Without a strategy for keeping pace — and an apparatus for ensuring compliance — businesses everywhere could be exposing themselves to serious regulatory risk.

Change at the federal level

Before addressing what businesses need to do, it helps to understand, in general terms, what’s triggering the shift in the regulatory landscape.

At the federal level, the current administration has taken substantial steps toward reducing the regulatory burden on businesses. For example, this year Congress has exercised its authority under the Congressional Review Act (CRA) to repeal 14 regulatory schemes. The CRA allows Congress to eliminate federal regulations—within a 60-legislative-day window after they’re passed — by passage of a joint resolution with a simple majority vote and signature of the President. Such a resolution also prevents agencies from passing similar rules in the future. One such resolution rolled back a series of privacy regulations for internet service providers which had been issued by the FCC during the waning days of the Obama administration.

The push for deregulation of the financial services industry at the federal level has garnered momentum in recent months, with much of the focus on the Dodd-Frank Act and the independent agency it created, the Consumer Financial Protection Bureau (CFPB). In October, 2016, a three-judge panel of the U.S. Circuit Court of Appeals for the District of Columbia Circuit ruled that the CFPB’s single-director model is unconstitutional. In June, the Treasury Department’s Report to the President (pursuant to Executive Order 13772 on Core Principles for Regulating the United States Financial System) recommended a number of reforms to the CFPB which would rein in its authority. On the legislative front, the U.S. House of Representatives recently passed a bill (Financial CHOICE Act) which would undo many of the Dodd-Frank regulations. (The Senate is considering similar legislation.) While many questions regarding the long-term impact of these developments remain, they indicate a clear trend that we can expect to continue into 2018.

It worth noting that the one exception to this trend is in the area of enforcement, where there is no evidence of an active decrease in enforcement activity. In fact, statistics from the U.S. Department of Health and Human Services (HHS) suggest that 2017 is on pace to match or exceed the record amount of HIPAA fines imposed in 2016.

Change at the state level

While much of the activity at the national level reflects a broad trend away from consumer protections in the areas of personal information privacy and security, there has been an opposite trend in these areas at the state level.

Many are already familiar with New York State’s recent cyber security rules promulgated by its Department of Financial Services (23 NYCRR 500). These rules set minimum standards for a Cyber Security Program to include policy, management, reporting and control requirements.

Although New York has received much of the attention, other states have passed related bills as well. New Mexico became the 48th state to enact a data breach notification statute. (Only South Dakota and Alabama are without such a law.)  Also in 2017, Washington became the third state (joining Illinois and Texas) to enact a statutory scheme governing business use of biometric data.

In a direct response to the recent repeal of FCC Internet Service Provider privacy rules, approximately 20 states (and D.C.) have introduced legislation to bolster citizens’ internet privacy protections.

Current signs indicate these state-level efforts will expand. For example, so far in 2017, more than 40 states have introduced over 240 bills or resolutions pertaining to cybersecurity. The National Association of Insurance Commissioners (NAIC) is working toward finalizing its Insurance Data Security Model Law, which tracks many of the provisions set forth in the NY DFS cybersecurity regulations and will impact financial institutions in jurisdictions where it is enacted. Additionally, Virginia Governor Terry McAuliffe, as Chair of the National Governors Association, has been very active in promoting cybersecurity improvement among the states through his “Meet the Threat Initiative.”

On the regulatory enforcement front, states are increasingly willing to enforce privacy rights established under state law. In a recent healthcare case, the New York Attorney General announced a settlement with CoPilot Provider Support Services, Inc. (“CoPilot”), after the company violated New York General Business Law by waiting over a year to provide notice of a data breach that exposed over 220,000 patient records. As part of the settlement, CoPilot agreed to pay $130,000 in penalties and to improve its compliance programs. In another similar case, the Vermont Attorney General reached a settlement with SAManage USA, Inc., a business support services company, in connection with a data breach which exposed the Social Security numbers of 660 Vermont citizens. The settlement included the payment of a $264,000 penalty.

Equifax breach prompts significant responses on all fronts

The Equifax data breach which was publicly disclosed in September compromised the personal information of approximately 145 million consumers and triggered a flood of investigative and regulatory activity at both the federal and state levels. Congress has held hearings and proposed new legislation in response to the breach (including the reintroduction of the Personal Data Notification and Protection Act, which establishes a single national breach notification standard). Several federal agencies, including the Federal Trade Commission and the Consumer Financial Protection Bureau, have initiated inquiries. Federal authorities have also opened a criminal investigation into the breach.

At the state level, the Attorneys General of a majority of states have opened or joined probes into the Equifax breach. In September the Attorney General for Massachusetts filed the first enforcement action against Equifax in connection with the breach. The NY DFS has proposed a new regulation which would require credit reporting agencies to register with New York for the first time and comply with the state’s first-in-the-nation cybersecurity regulations.

What businesses need to do

Businesses need to be prepared to rapidly digest and operationalize these new requirements. For example, the next compliance date for the NYDFS cybersecurity regulations falls in early 2018. For international enterprises, this coincides with compliance deadlines for the EU General Data Protection Regulation (GDPR).

Keeping up with the rapidly changing regulatory landscape is not easy; and proves the need for a systematic and pragmatic compliance system. Such a system should allow business to ensure compliance, while not over controlling the organization.

Edgile’s iGRC Managed Content Services is such a system and reduces the regulatory burdens on business by:

  • Automatically identifying all applicable legal, statutory and regulatory requirements (including all directives at all levels — international, federal, state). Keeping track of new regulatory rules and guidance from state, federal, and industry-specific authorities is an intensive effort requiring both legal expertise and complete knowledge of your internal controls. With Edgile’s managed content services, our experts monitor all regulatory sources and update the library on a quarterly basis, freeing you from this task.
  • By providing a proven methodology to translate regulatory requirements into simple control plans that system administrators, application owners, and business risk owners can understand and follow.  We commonly see organizations that have identified their needed cyber and privacy controls, but struggle with operationalizing those controls. Their compliance systems failed to go “the last mile;” keeping the organization exposed to regulatory and cyber risk. Edgile’s methodology systematically maps regulatory requirements to system-specific controls, while keeping it simple and pragmatic for the business.
  • By using a “strategy-first” approach to regulatory compliance management. Today’s risk managers need to envision comprehensive solutions instead of addressing checkboxes. We advocate risk officers always start with a comprehensive cyber and privacy strategy that properly aligns risk objectives with business objectives. Such strategies are key to building the cross-functional alignment and risk ownership that lead to a successful cyber security program.

Eric Kaufmann is a Manager with the GRC group at Edgile. He is a licensed attorney.