Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The huge data breach at Equifax Inc. is under review by the New York Department of Financial Services for possible violations of state law or regulations, a source familiar with the case, who requested anonymity because of a lack of authority to speak officially about the investigation, told Bloomberg BNA.
The probe is the second into the breach by New York authorities. New York Attorney General Eric T. Schneiderman (D) announced Sept. 8 that his office is investigating the breach for possible violations of New York law. A spokeswoman for Schneiderman told Bloomberg BNA that the office couldn’t comment on an open investigation. Other states also are investigating, including Connecticut, Illinois, Massachusetts, and Rhode Island.
The NYDFS’s new financial services cybersecurity rules started to take effect this year, but the reach of the NYDFS over Equifax and whether it violated New York requirements is unclear. The company is based in Atlanta, and details of how and where the breach occurred haven’t been made public by Equifax.Still, with 143 million Americans, or more than half of all U.S. adults affected by the breach, there are most likely banks and insurance companies in New York that were impacted, Mark Sangster, vice president of cybersecurity company eSentire Inc., told Bloomberg BNA. Determining whether those banks were notified of the breach directly by Equifax may be a focus for the NYDFS, he said.
Another possible avenue for NYDFS enforcement may be a broad authority granted in 2011 by the statute creating the state agency. Although the primary jurisdiction of the NYDFS is over banks and other direct financial services, the statute allows it to oversee related areas that were previously unregulated and would otherwise fall through the cracks.
A spokesman for the NYDFS declined to comment on possible enforcement actions by the state agency.
Marcus A. Christian, a partner at Mayer Brown LLP, who focuses on cybersecurity and data privacy, told Bloomberg BNA that it’s hard to know if the NYDFS regulations could have prevented the Equifax security breach because the details of the breach haven’t been determined.
“Equifax may have had all the controls in place that the NYDFS regulations require,” he said.
The rules require covered banks and financial institutions to create and maintain a cybersecurity program approved by their boards or a senior corporate official, appoint a chief information security officer, limit access privileges to nonpublic data and periodically review the process, and implement guidelines to notify the state regulator within 72 hours of cybersecurity or data security incidents.
Christian said he didn’t know why Equifax took weeks to report the breach, but there are at least two acceptable reasons that breaches are sometimes not reported right away. One is that law enforcement are involved and determine that notification and disclosure could hinder an investigation. Another is that it takes a long time to do a thorough forensic investigation of the causes and details of a security breach.
Equifax didn’t immediately respond to Bloomberg BNA’s email request for comment.
The NYDFS cybersecurity rules “lead as the most stringent and comprehensive set of guidelines, and other states are watching closely while considering adopting similar rules,” Sangster said.
Other states or Congress may be motivated to adopt new cybersecurity requirements given the scope of the Equifax breach.
The breach may be a “Sarbanes-Oxley moment,” Sangster said, referring to the federal financial oversight law that was passed in 2002 after several corporate financial mismanagement events came to light.
Christian said it’s unclear if the Equifax breach is a watershed moment that will lead to new laws or regulations. “We’ve thought that at some other points in the past” after other cybersecurity incidents but didn’t see changes, he said.
To contact the reporter on this story: Donald Aplin in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)