2024 has not been a good new year for Genesis Global Trading, Inc. (“GGT”). January 3, 2024, New York Department of Financial Services announced be consent order In negotiations with GGT, GGT agreed to pay NYDFS $8 million and surrender its BitLicense (for cryptocurrency trading) due to NYDFS’ alleged violations of cybersecurity and cryptocurrency regulations. This post focuses on cybersecurity regulatory issues. (For more information on cryptocurrencies and financial services/regulatory aspects, see https://www.nortonrosefulbright.com/en/knowledge/publications/4c9650ae/2023-crypto-round-up
background
NYDFS has granted GGT a license to conduct non-custodial cryptocurrency exchange operations. This means that GGT is subject to NYDFS virtual currency regulations and cybersecurity regulations. NYDFS conducted its first audit of GGT from May 17, 2018 to March 31, 2019. NYDFS found violations of both cybersecurity and virtual currency regulations.
NYDFS conducted a second audit from April 1, 2019 to March 31, 2022. According to the agreement, NYDFS “determined that while GGT’s business grew significantly during this period, little effort or resources were devoted to addressing the identified deficiencies.” on the first exam. In fact, the second round of testing identified further compliance violations regarding virtual currency and cybersecurity regulations. ”
cyber security regulations
NYDFS found a number of issues with GGT’s non-compliance with cybersecurity regulations, including required risk assessments. NYDFS characterizes risk assessments as “the foundation of a covered entity’s cybersecurity program” (¶ 29), and that risk assessments “inform the design of cybersecurity policies” and are a It added that approval was required. (¶30)
NYDFS said the assessment was not only “years late” but also “not comprehensive enough to identify areas, systems, or processes that need significant improvements, updates, or redesigns, or to improve GGT in order to achieve them.” “It did not include a plan to strengthen our cybersecurity program.” Fully compliant with the requirements of the “Cybersecurity Regulation”. (¶31) The risk assessment does not allow for modification due to changes in threats or technological developments, and does not allow for modifications due to changes in threats or technological developments, and does not allow for modifications due to changes in threats or technological developments, and does not allow for “NPI collected or stored on information systems or inadequate controls in place to protect them.” did not adequately consider cybersecurity risks to GGT’s business operations, including “GGT’s systems.” (¶ 32)
NYDFS also found that the GGT did not address asset inventory and device management, nor did the GGT include a requirement to notify NYDFS within 72 hours of a cybersecurity incident (¶ 35 ). GGT’s business continuity/disaster recovery plan “still lacked sufficient BCDR procedures to address specific cybersecurity requirements.” It found that there had been no “adequate training” for the role and no annual tests had been carried out. (¶ 36)
Data and overretention
Next, NYDFS demonstrated how cybersecurity regulatory requirements are interconnected with respect to data. NYDFS found that GGT’s data classification policies and procedures were “incomplete, resulting in serious concerns about GGT’s ability to adequately assess compliance with cybersecurity regulatory access rights, data disposal, and encryption requirements.” It was recognized as having been brought about. These issues prevented GGT from effectively restricting access to sensitive information. ” (¶37, citation omitted)
A second NYDFS audit found that GGT never established policies and procedures to securely dispose of non-public personal information on a regular basis. (¶ 39) Cybersecurity regulations state that “In practice, critical application data is stored indefinitely, and despite clear requirements, there are no processes in place to classify and delete data that no longer needs to be stored.” (¶ 39) Furthermore, “With no data classification policy in place, there was no way to ensure that all sensitive data and NPI was identified and encrypted as required by cybersecurity regulations.” ” (¶ 40)
GGT has 10 days to pay an $8 million penalty (61 cents) and agreed to surrender its crypto business license. (¶66)
our view
As we’ve written before, regulators are increasingly paying attention to data over-retention and imposing fines on that basis. Here, similar to the FTC settlement described in the link above, GGT held too much personal information, but with no plan to rectify the problem and in fact without any documented business purpose. The data is said to be retained indefinitely. Companies should focus on establishing and implementing reasonable information governance policies and record retention schedules, with particular emphasis on documents containing personal information.
Even if such policies and programs are difficult to implement in the short term, much less proactively disposing of data at scale, companies should provide a working framework and path to substantial completion. This puts you in a more advantageous position. Additionally, organizations should focus on actually changing behavior and deleting real data, rather than over-adjusting policies and schedules. Whether to keep a document category for her 6 years or 7 years is not an important enough decision to actually work on educating your employees and the system will stop retaining the data indefinitely. A database that systematically deletes data after 10 years is great, but it becomes vulnerable if an employee regularly downloads information to a file share or his OneDrive and retains that information indefinitely.