March 1, 2019 marked the expiration of a two-year grace period for regulated entities (Covered Entities) to come into compliance with the New York Department of Financial Services' (DFS) first-of-its-kind “Cybersecurity Requirements for Financial Services Companies” (the Cyber Requirements), 23 N.Y.C.R.R. 500. Now that the implementation phase is complete, DFS will no doubt look toward enforcing the Cyber Requirements. Indeed, Linda Lacewell, a former state and federal prosecutor, has been selected to serve as DFS's next superintendent and recently called cybersecurity “the number one threat facing all industries and governments globally.” Lacewell also put Covered Entities on notice that compliance with the Cyber Requirements is going to “take center stage.”

Questions remain, however, regarding what components of the Cyber Requirements DFS will scrutinize most closely and to what degree. One area of significant concern for Covered Entities involves “Third-Party Service Providers.” The Cyber Requirements mandate that Covered Entities, which include state-licensed insurance companies and banks, “implement written policies and procedures designed to ensure the security of” information that is “accessible to, or held by, Third-Party Service Providers.” The Cyber Requirements define a Third-Party Service Provider as any individual or non-government entity that is (1) not affiliated with a Covered Entity, (2) provides services to a Covered Entity, and (3) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the Covered Entity. DFS's focus on third-party cyber risk does not come as a surprise, given that third-party vendors pose one of the greatest threats to entities from a cybersecurity standpoint.

One component of containing Third-Party Service Provider cyber risk is the requirement that Covered Entities conduct due diligence when contracting with third parties. DFS has not, however, provided clear guidance on what type and amount of diligence Covered Entities must conduct or how rigorously DFS will enforce this component of the regulation.

Given this uncertainty, recent enforcement actions by other regulatory bodies in response to data breaches attributable to third parties may shed some light on what Covered Entities should do and what level of due diligence DFS may expect when it comes to third parties.

Cyber Requirements Regarding Third-Party Service Providers

As of March 1, 2019, all Covered Entities must have completed the following:

• implement Third-Party Service Provider security policies;

• complete identification and risk assessment of Third-Party Service Providers;

• identify minimum cybersecurity practices required by such providers to do business with the Covered Entity;

• enact due diligence processes to evaluate the Third-Party Service Providers' cybersecurity policies and practices, including limitation of access controls, encryption of information, and notice procedures in the event of a cybersecurity event; and

• require periodic assessments of Third-Party Service Providers—both old and new—based on risk and continued adequacy of their cybersecurity practices.

What Third-Party Service Provider Diligence Will Be Required?

With respect to the requirement that Covered Entities conduct due diligence on Third-Party Service Providers, neither DFS nor the Cyber Requirements shed much light on what will constitute an appropriate level of diligence. DFS has stated that Covered Entities cannot merely rely on a provider's own compliance with the Cyber Requirements, even if the provider itself is a Covered Entity that has filed a Certification of Compliance with the requirements. Additionally, DFS does not mandate that providers adopt any specific measures, such as encryption and multi-factor authentication, but has stated that Covered Entities should perform risk assessments based on “individual facts and circumstances,” and that the diligence process must be “thorough.” DFS has declined to provide more specific guidance.

But just as risk management involves benchmarking, a comparative analysis of how other regulatory bodies have interpreted third-party cyber diligence obligations may serve as a useful guide.

In April 2018, the FTC published a blog post in connection with a proposed settlement with BLU Products, a mobile device manufacturer, after allegations that a BLU contractor obtained “full administrative access and control of [BLU's] devices to update firmware over the air,” and collected and transmitted consumer personal information, including text, call, and message logs to the contractor's servers back in China without any authorization. According to the FTC complaint, BLU licensed software from third-party ADUPS Technology (ADUPS), which came pre-installed on BLU devices. The parties' contract provided that ADUPS would be responsible for certain device updates but did not contemplate any other services. Despite this extra-contractual activity by ADUPS, BLU represented to consumers that it disclosed consumer data to third parties only as necessary for the performance of those third parties' services. The FTC alleged that BLU failed to perform adequate due diligence in selecting and retaining ADUPS because BLU did not “assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that Company.”

The FTC settlement required BLU to implement and maintain a comprehensive security program that addresses security risk and protects personal information, such as development and use of “reasonable steps” to select and retain service providers capable of “appropriately safeguarding” personal information and requiring service providers to implement and maintain “appropriate safeguards” by contract. Putting this vague language into context, the FTC elaborated that companies should “understand how [potential data processing service providers'] services work,” what they will have access to, and what needs to be done to “conform [service providers'] conduct to the promises” made by companies to their customers. The FTC noted that diligence is an “ongoing process” and companies are responsible for “sensible data practices,” such as monitoring third parties' compliance with their contractually authorized and limited practices. In this way, the FTC made clear that companies are obligated to conduct ongoing diligence, rather than simply assessing third parties prior to engagement and then shifting the risk to third parties by contract.

At least one state has taken a similar, but even less forgiving, position on the question of third-party diligence. In April 2018, the New Jersey Division of Consumer Affairs (the DCA) announced a settlement with Virtua Medical Group, P.A. (VMG), a New Jersey-based physicians' network, based on the loss of patient's protected health information. According to the settlement, one of VMG's vendors erroneously misconfigured an FTP site containing medical records of VMG's patients, which, as a result, became searchable on the Internet. The DCA alleged that VMG “failed to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information … it sent to a third-party vendor” among other failures of data security. In announcing the settlement, the DCA stated:

VMG is being held accountable because it was their patient data and their responsibility to protect it. This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.

Here, human error caused the data breach, and no amount of preliminary diligence would have prevented the leak. Nonetheless, the DCA faulted VMG for failing to monitor vendor activities on an ongoing basis. In particular, the DCA noted that VMG did not “maintain a written or electronic log of the number of times the FTP Site was accessed.” At a minimum, the VMG case demonstrates the importance of ongoing third-party diligence and monitoring. It also makes clear that a company must implement measures to allow for ongoing monitoring of and visibility into the handling of its data, even when that data resides with a third-party.

European regulators, in adopting the General Data Protection Regulation (GDPR), have advanced perhaps the most aggressive view on an entity's responsibility with respect to third-party vendor risk. Under the GDPR, data controllers are jointly and severally liable for damages resulting from a breach by a non-compliant third-party data processor unless the data controller can prove “that it is not in any way responsible for the event giving rise to the damage.” Although, ostensibly, the GDPR thereby provides a causation defense for controllers who can prove they had no role in causing a data breach, the standard of proof will be, in most cases, unachievable.

Conclusion

As the BLU and VMG cases, the GDPR, and DFS's Cyber Requirements make clear, regulators are highly focused on holding companies accountable for incidents arising from third-party failures, thereby discouraging the practice of outsourcing risk through contract. In fashioning diligence processes for third parties, Covered Entities should consider the following:

• Verify that Third-Party Service Providers' privacy policies correspond to their actual practices.

• Tie rigor of the diligence to the level of access and the type of data provided to the Third-Party Service Provider.

• Implement controls to alert the Covered Entity to cybersecurity failures at the third party.

• Include in relevant contracts the right to audit Third-Party Service Providers. Be prepared to exercise those rights or request information from independent assessments of the Third-Party Service Provider, such as risk assessments or penetration tests.

• Thoroughly investigate past cyber incidents, with an emphasis on the likelihood of similar incidents occurring in the future and the adequacy of remediation efforts taken.

• Revisit the diligence process on a regular, scheduled basis.

Only time will tell how DFS will interpret the Cyber Requirements related to Third-Party Service Provider diligence, but these steps should serve as a baseline for Covered Entities.

Una A. Dean is a partner and Michael A. Kleinman and S. Cynthia Luo are associates in the litigation department of Fried, Frank, Harris, Shriver & Jacobson.