Solutions Blog

Securing Client Data

In July 2020, the New York State Department of Financial Services (NYDFS) filed the first enforcement action under the new NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), against a leading title insurance provider. Part 500, which went into effect in March 2019, is a set of regulations that places new cybersecurity requirements on financial institutions regulated by NYDFS. Pursuant to Part 500, covered financial institutions must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of non-public information (NPI). Covered entities must also maintain policies and procedures to protect the privacy of consumer data.

 

The Statement of Charges filed by NYDFS alleged that the organization did not maintain adequate internal controls to protect NPI and exposed numerous documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. More specifically, NYDFS alleged that a “known vulnerability” in their information systems resulted in exposure of NPI via the company’s public-facing website. According to the Statement of Charges, the organization updated an internal system and inadvertently created access to loan documents — without any login or authentication — through a public URL. NYDFS also alleged that an internal penetration test identified the vulnerability in December 2018, but the organization failed to properly and timely remediate it.

 

Why are we sharing this story? Because every business needs to take security seriously. We are well past the times of saying “We didn’t know,” “It will not happen to our company,” “We don’t have private information,” “That regulation does not apply to us” (every state has privacy regulations), or “We should be fine.” You need to be in a confident, defensible position to say, “We verified internally and then re-verified with a third party to ensure we keep PII and NPI well protected as per regulatory compliance.” Not being able to prove and say this means you could be exposed.

 

What Should You Do Now?

  1. Verify your current state. Challenge your business owners to see if they know and how they are asking IT and Security to protect the data “they” own.
  2. Self-assess. Create your own internal audit to verify your security and data protection practices in a holistic sense.
  3. Call GDT to run a security risk and gap analysis specific to your business and data types you possess.
  4. GDT will identify the risks, define a remediation plan that can be efficiently executed. Do not worry if your team does not have the time or skills to remediate. GDT can do that for you if you so choose.
  5. Schedule GDT to run your gap analysis every six months so you can maintain your compliant state and your legal team and executives can be confident in your defensible posture that is safe and secure.

 

Staying compliant with regulations is NOT a one-time or point-in-time status. It should be taken as an everyday commitment. A commitment to your clients, partners and your employees that your business will transact in a safe, secure, diligent, and consistent way. A commitment to not enable risk and reputational damages that may be unrecoverable. A commitment to run your daily operations securely, not just once a year when there is an audit or, worse, to act when something goes wrong.

Categories: ,
Share on linkedin
Share on twitter
Share on reddit
Share on facebook
Share on email

Learn more about Securing Client Data by filling out the form below:

More Cloud, Less Cost

What may be the best kept secret in tech is that GDT Partner NetApp, who is well known as a longstanding leader in storage technology with over 27 years of innovation and 30,000 worldwide customers, is incredibly capable of helping you use more cloud for less cost.

Read More »

Securing 5G Infrastructure

Every generation of telecommunications networks brings faster speeds and innovation, and 5G is no exception. Billions of devices are already connected through 5G, which means it’s critical to our future that we ensure that 5G is both resilient and secure. The Cybersecurity & Infrastructure Security Agency (CISA) works with government and industry partners to do just that. Here are the five strategic initiatives they are undertaking to advance the secure and resilient deployment of 5G infrastructure.

Read More »

SecureX is the X-Factor in XDR

While the term “XDR” may be new, the technology is not. At least not to Cisco, whose SecureX threat response technology has offered XDR capabilities to over 10,000 customers for several years.

Read More »