National Sep 14, 2017
NYDFS says individuals must file
The New York State Department of Financial Services added new FAQs to its "frequently asked questions" page this week that direct individual licensees to file for an exemption from Part 500—the cybersecurity regulation. This was the first written mention of such an interpretation, more than six months after adoption. Individuals, who write business in New York, have until Sept. 27, 2017, to file the exemption. However, your association has requested an extension.
Working together, PIANY, IIABNY and NYSAHU fought against the NYDFS interpretation that individual licensees were not subject to the regulation. Written objections were sent to the NYDFS in a joint letter from the associations. PIANY met independently with top staff from the governor’s office and with the NYDFS and participated in an additional conference call Sept. 12 with representatives from the governor’s office. Unfortunately, the regulators have chosen to reject our arguments and interpret the regulation in a way that will require hundreds of thousands of individually licensed insurance producers, both within and outside New York state, to complete this form with no discernible benefit to those they serve.
Our objections notwithstanding, we recognize and respect the department’s authority in its interpretation, and we urge all licensed producers to visit the department’s website to complete and submit the online form. This should be done as soon as possible but no later than Sept. 27, 2017. While we disagree with and are disappointed with the department’s interpretation of Part 500, we consider compliance with state laws and regulations to be an important obligation of agents and brokers. Therefore, all licensed individuals should take immediate steps to comply with the requirements as the department has interpreted them.
The NYDFS addresses the specific question of whether a Covered Entity that qualifies for an exemption under 23 NYCRR Section 500.19(b) [employees, agents, representatives] need to file a notice of exemption. NYDFS clarified that "Pursuant to 23 NYCRR Section 500.19(e): '[a] Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption.’"
We will continue to fight for our members’ interests in all legislative and regulatory matters, as we did in this case, and push back against unreasonable requirements.
PIA has the resources (see your Privacy Compliance Central) to help you understand what is expected of you and your agency. Moreover, PIANY can answer any questions you may have about this regulation. Contact PIA’s Industry Resource Center and our technical staff will be able to walk you through the requirements. See specifically: Cybersecurity regulation—limited exemption form required for employees?