Lisa Sotto Featured in DataGuidance Q&A Series: Thought Leaders in Privacy

Lisa Sotto, who leads the global privacy and cybersecurity practice at Hunton & Williams LLP, recently sat down with DataGuidance to discuss some of the biggest challenges and developments in the privacy world as part of the Thought Leaders in Privacy video series. The following is a Q&A distilled from a discussion about the New York State Department of Financial Services’ (NYDFS) new cybersecurity regulation.

DataGuidance: What are the main requirements under the NYDFS Cybersecurity Rule?

Lisa Sotto: These are very significant regulations. While they apply only to a narrow segment of a particular industry sector, they are far-reaching in their implications. They are risk-based standards that require the attention of senior leadership. Of course, cybersecurity is an issue that has risen very high on the radar screen of both boards and C-suites, and it really mandates their attention.

Generally, the rule requires that companies put in place a cybersecurity program and have a written policy. They need to have rules with respect to service providers, perform due diligence in advance of hiring them and have contractual provisions in place. There is a 72-hour notice requirement for notifying the NYDFS after the identification of a breach, which is very difficult, and there is a data retention provision which looks very much like the language that is used in European rules. Also of note, there is an annual recertification process, so senior leaders of the company or a board member need to annually certify compliance with these regulations.

DataGuidance: What will be the greatest challenges of the rules for organizations?

Lisa Sotto: There are two provisions that mimic what we’re seeing globally and hew closely to the EU General Data Protection Regulation (GDPR). (1) The 72-hour-notice requirement is fairly revolutionary in the United States, and extremely difficult to comply with. It requires that covered entities notify the NYDFS if any governmental entity or self-regulatory body needs to be notified of an incident, so this is a very broad standard. (2) The other provision that I think is particularly challenging for US companies is the data retention clause, which requires the disposal of information covered under these regulations if it is no longer needed for business purposes or another legitimate reason. Again, there are similarities here to the language used in the GDPR.

DataGuidance: How do the rules fit within the broader cybersecurity landscape?

Lisa Sotto: These are highly prescriptive rules. They’re far-reaching and reasonably unique in their coverage. I think the rules will effectively create a de facto national standard because financial institutions that do business in New York and are subject to these rules have interconnected systems. The practical reality is that they can’t possibly comply with this regulatory regime only with respect to their New York systems because those systems aren’t isolated from systems outside of New York.