When should you report a data breach?

March 8, 2021 at 9:44 am Leave a comment

That is the question I hope you all have policies and procedures to answer.  A recent enforcement action by New York’s Department of Financial Services (DFS) underscores that the Department is deadly serious about ensuring that institutions subject to its licensing requirements comply with the State’s cutting edge cyber security regulations.  For those of you not subject to New York State’s dictates, keep in mind that New York State’s regulations are becoming a national model. 

In the matter of Residential Mortgage Services, Inc., DFS announced a $1.5 million fine against a mortgage license company headquartered in Maine that was licensed to do mortgages in New York State.  As part of a routine audit, the Department discovered that the mortgage banker was subject to a data breach it had not disclosed to the State.  It also did not have adequate policies and procedures in place to do the type of periodic risk assessments that New York State requires under these regulations.  The breach DFS was concerned about involved an employee who notified her IT team, but only after she had given a hacker posing as a vendor access to her email.  The employee handled sensitive mortgage information.

Should the company have notified DFS?  Under 23 NYCRR 500.17, covered entities are required to report cybersecurity events within 72 hours.  A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.  This settlement underscores that when in doubt you should report a breach.  However, this is an incredibly broad definition since any IT person will tell you that even the smallest of businesses is bombarded with attempted break-ins all the time.  In the accompanying Q and A, DFS explains that “notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.”  This explanation of course gives you little discretion in the event that a data breach is successful. 

Entry filed under: Compliance, New York State, Regulatory, technology. Tags: , , , , .

Sole Proprietors Gain Meaningful Access to PPP Loans Is Your CU Eligible For ECIP?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 726 other followers

Archives