Cybersecurity and Data Privacy: Exemption from Cybersecurity Regulations Sought by Bond for Colleges, Universities and other Not-for-Profit Organizations Granted in Final Regulations Issued by Department of Financial Services

February 22, 2017

By: Tracy E. Miller and Curtis A. Johnson

As we informed our clients in a prior memorandum, Bond, Schoeneck & King sought an exemption from proposed cybersecurity regulations for institutions of higher education and other charitable organizations covered solely because they operate a donor annuity program. We are pleased to report that the Final Regulations, issued by the New York State Department of Financial Services (DFS) on February 16, 2017, granted this exemption. As a result, hundreds of institutions, ranging from some of the largest universities, museums, social service and religious organizations in the State to smaller social service and advocacy organizations, are exempt.

Joined by the Commission on Independent Colleges and Universities, Tracy Miller, Co-Chair of the Cybersecurity and Data Privacy Practice and a member of the Higher Education Practice, submitted a letter to DFS urging adoption of the exemption noting, among other reasons, that the proposed regulations, designed for financial institutions such as banks, would impose an exceptional financial and administrative burden on institutions of higher education and other charitable organizations unrelated to their mission, size, resources or operations. Moreover, as set forth in the letter, these organizations are already covered by other cybersecurity laws and regulations.

If you have any questions about the exemption, please contact Tracy E. Miller or Curtis A. Johnson.