Q: What is 23 NYCRR 500?

Pursuant to 23 NYCRR 500, beginning on February 15, 2018, most banks, insurers, and other financial institutions within the regulatory jurisdiction of the NY Department of Financial Services (“DFS”) were required to take action to protect their customer’s “nonpublic information” (discussed below) from cyberattacks. DFS and the NY State Assembly expanded that requirement to continuing care retirement communities (“CCRCs”) such as Adult Day Cares and Assisted Living Facilities.

As health care providers, CCRCs are already subject to HIPAA privacy standards and safeguards.  23 NYCRR 500 now further protects New Yorkers by imposing additional cybersecurity obligations on CCRCs.

Q. Are CCRC’s “Covered Entities” under 23 NYCRR 500?

A.  Yes. CCRCs are “Covered Entities”[1] under 23 NYCRR 500 as they are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by DFS, and because Public Health Law subjects them to the examination authority of DFS. Simply put, CCRCs are “Covered Entities” under 23 NYCRR 500 because they are “operating under or required to operate under” DFS.

Q. What is “nonpublic information”?

A. 23 NYCRR 500 is designed to protect the “nonpublic information” (“NPI”) of a Covered Entity from tampering, unauthorized disclosure, access, or use that has a material adverse impact on the business, operations, or security. Some examples of NPI include:

  • Social security number, driver’s license number, identification card number.
  • Account number, credit, or debit card number.
  • Security code, access code, or password that would permit access to an individual’s financial account.
  • Biometric records.
  • Mental or behavioral health of any individual or a member of the individual’s family.
  • The provision of health care to any individual.
  • Payment for the provision of health care to any individual.

Q. How do CCRCs comply with 23 NYCRR 500?

  • Establish a comprehensive cybersecurity program, including an Information Security Policy, with a designated Chief Information Security Officer.
  • Establish a cybersecurity governance program, often part of an Information Security Policy, with regular reporting and notifications to the executive team and annual reporting to the Board of Directors on the cybersecurity program status and material risks.
  • Establish and maintain an Information Security Policy which cover at a minimum, data classification, business continuity and data recovery, vendor risk management, incident response, and physical security.
  • Conduct annual penetration testing and bi-annual vulnerability assessments.
  • Provide security awareness training to personnel and monitor activities of authorized users.
  • Use multi-factor authentication for accessing internal networks from external networks.
  • Encrypt NPI and other confidential or sensitive data while in transit and at rest.
  • Notify NYS Superintendent of cybersecurity breach events within 72 hours.
  • Submit a Certification of Compliance report annually via the DFS Cybersecurity Portal.

Q. What are the penalties for non-compliance?

A.  Penalties for non-compliance are severe. The DFS may file an enforcement action for civil monetary penalties, with the amount sought dependent upon the nature and severity of the violation. In recent enforcement actions, DFS has sought for each instance of non-compliance to be treated as a separate violation, carrying up to $1,000 in penalties per violation.

For more information and guidance regarding these matters, 23 NYCRR 500 and its applicability to your business, contact info@olenderfeldman.com or mfeldman@olenderfeldman.com for the Data Privacy and Information Security Group of OlenderFeldman LLP. 

[1]              Note that though CCRCs are generally subject to HIPAA, the term “Covered Entities” as used herein is limited to the use of that phrase under 23 NYCRR 500.

Leave a Reply