• 03/02/2017


    Client Alert

    Written by: Thomas W. Halm, Jr. and Brett M. Buterick

    Are you currently doing business in New York or are you providing services to a company that does business in New York? If the answer to either question is yes, you need to be aware of new cybersecurity regulations created by the New York Department of Financial Services (“NYDFS”) which went into effect on March 1, 2017. These regulations are some of the most restrictive to be established to date and even effect companies who are domiciled outside of the State of New York.

    Traditional financial service companies, such as banks and insurance companies, as well as entities that are regulated by the NYDFS such as business entities incorporated in New York, charitable foundations, holding companies, mortgage bankers, mortgage and insurance brokers, and mortgage loan services, are now required to implement strict information security practices and procedures in order to secure nonpublic information. As a result, these “Covered Entities” have to design and maintain a cybersecurity program, including implementing a written information security policy, which protects the confidentiality, integrity, and availability of its nonpublic data – including but not limited to items such as social security numbers, driver’s license numbers, security codes, passwords, health information, and for the first time, business related data which could adversely impact the business, its operations or security. The regulations further require that Covered Entities retain a Chief Information Security Officer and that an auditable recordation of data and compliance with information security policies be established.

    Additionally, these new regulations also require that Covered Entities must ensure that their Third Party Service Providers, including lawyers, accountants, IT vendors, as well as any other party who might have access to information which could damage a business entity, are able to adequately secure the confidentiality, integrity and availability of all nonpublic information to which they have access. This requires Covered Entities to establish minimum standards for vendor compliance and to periodically conduct audits and risk assessments of their vendor’s security practices.

    If you have questions about these new regulations and their effect on your business, please click on the attached link or feel free to contact us to see how we can assist you with your information security concerns.

    Hill Wallack LLP is at the forefront of information security and data protection. After an extensive two and a half year process, the firm has achieved ISO 27001:2013 Certification, a feat that puts it in an elite class of law firms who are certified and audited under international standards for data security and risk protection. The firm understands the importance of information security and has made a substantial commitment to its clients to take cybersecurity security seriously. If you are interested in Hill Wallack’s ISO 27001:2013 Certification and what it means for you or your business, please click on the attached link.