Despite regular talk of the need for increased federal scrutiny and action on cyber and data security policy, the bulk of work has been left to state governments as Congress plots its path forward. Notably, New York Governor Andrew Cuomo issued a proposed cybersecurity rule in September that would apply to banks, insurers and other commercial services industries that operate in the state.
NMHC and NAA are following cyber and data security actions carefully because apartment firms and their third-party service providers regularly collect, use and maintain sensitive financial and personal data about residents, prospective residents and employees that leave them vulnerable to cyber incidents.
Under Governor Cuomo’s proposal, institutions overseen by the New York State Department of Financial Services (NYDFS) that are varied and many would be required to:
- Establish a cybersecurity program;
- Designate a chief information security officer;
- Adopt a written cybersecurity policy; and
- Implement policies and procedures to bolster information security.
This new proposed regulation has a 45-day comment period beginning September 28 and will otherwise go into effect on January 1, 2017. While not multifamily or real estate specific, this new regulation is noteworthy in its reach and provides a good snapshot of where states are heading in the absence of federal standards.
Recent revelations about the massive Yahoo account breach and high-profile email leaks have reenergized congressional interest in legislation aimed at establishing national cybersecurity and data breach standards such as the one passed by the House Financial Services Committee in late 2015. The multifamily industry raised concerns about that legislation as it sought to impose overly burdensome requirements on businesses of all scopes and sizes. NMHC/NAA is working with Congressional leaders to ensure that any such proposal that moves forward recognizes the unique nature and needs of our industry while ensuring the data we use as an industry is secure.
Additional information on data security, including a white paper with best practices, can be found at www.nmhc.org/data-security.