States Are Cracking Down on Cybersecurity Laggards

Thomas C. Carey

By Thomas Carey. Chair of our Business Practice Group

June 2017 IP Update

On May 23, the attorneys general of 47 states and the District of Columbia reached a settlement with Target Corporation of enforcement actions brought after a 2013 breach of the retail chain’s computer system.  That breach famously compromised credit and debit card information of 40 million customers.

The headline that most commonly came out of this settlement is that Target agreed to pay $18.5 million to the states.  This article is not about that penalty, because the more far-reaching aspect is the detailed obligations to ensure security that the state AGs have imposed upon Target.

To a degree, these measures resemble the requirements recently imposed on banks, insurance companies and brokerage houses by the New York Department of Financial Services.  Taken together, the Target settlement and the New York regulations reflect a growing expectation among the states that companies take strong measures to safeguard their data and that of their customers.

Both the settlement and the regulations require the adoption of a formal information-security program that details administrative, technical and physical safeguards.  While the Target settlement is directed to data regarding consumers and their credit cards, the New York regulations require financial institutions to protect all non-public information.  This would include, for example, customer lists, vendor lists, computer source code and unpublished patent applications.

Both the settlement and the regulations require the appointment of an executive experienced in information security.  That officer must advise both the CEO and the board of directors about the company’s security posture and risks.  The regulations, more specifically, require this information security officer to report at least annually to the board of directors, including details of successful or unsuccessful efforts to gain unauthorized access to the company’s systems.

The settlement goes further than the New York regulations in requiring Target to scan and map the connections between its cardholder data environment (CDE) and the rest of its computer network and to segregate the CDE from the other parts of the network. To do so, Target must restrict or disable all unnecessary network programs that provide access to the CDE.

In addition, the settlement requires Target to deploy a file-integrity monitoring system that notifies personnel of unauthorized modifications to critical applications or to operating system files within the CDE.

Both the settlement and the New York regulations require an evaluation of the cybersecurity measures of vendors to ensure they comply with the company’s cybersecurity policy.  The regulations limit this scrutiny to those vendors that maintain, process, or otherwise are permitted access to the company’s nonpublic information. Presumably, the settlement is meant to be limited in the same fashion, but its language is not clear on this point.  The New York regulations pertaining to vendors do not go into effect until March 1, 2019.

Other elements common to these two developments are an emphasis on encryption of data, both at rest and in transit; two-factor authentication; the creation and maintenance of audit trails; and the use of penetration testing to identify and fix vulnerabilities.  The Target settlement, quite naturally, focuses on compliance with credit card security standards, including PCI DSS, while the New York regulations specify the ability to reconstruct data pertaining to financial transactions.

The New York regulations also require financial companies to arrange for the periodic disposal of all non-public information that is no longer necessary for the company’s operations except where data retention is required by law.  Companies must retain for five years sufficient data to reconstruct financial transactions, and for three years audit data related to cybersecurity intrusions.

New York financial companies must also have a written incident-response plan that assigns responsibilities for decision-making and information-sharing, as well as correction of flaws detected in the information systems and controls.

Summary

The Target settlement and the New York regulations will have effects beyond Target and the directly regulated businesses because they apply indirectly to vendors to these companies. They illustrate the measures that the state attorneys general expect businesses to adopt.

Companies that follow these prescriptions will be less exposed, not only to the risk of compromised data, but to the risk of enforcement proceedings brought by the states or the Federal Trade Commission.  Taken together, these documents provide a good prescription for warding off cybersecurity threats.