An impending cybersecurity regulation intended to protect consumer data in New York’s financial services industry threatened to reach numerous charitable organizations swept in through their use of a common fundraising (planned giving) method, the charitable gift annuity. The new cybersecurity strictures from the state’s Department of Financial Services (“DFS”) go into effect on March 1, 2017. New York’s nonprofit community faced onerous and costly compliance obligations, including specified risk-based cybersecurity programs, penetration testing and vulnerability assessments, mandated reporting of cybersecurity events, and encryption of specified “nonpublic information” in transit and at rest.
New York has billed its “first-in-the-nation” cybersecurity regulation as “designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.” The stated purpose of the rule is to “protect consumer data and financial systems from terrorist organizations and other criminal enterprises.” However, advocates for the state’s charitable community, including Nixon Peabody LLP, told DFS the regulation as drafted not only applied to the state’s intended targets - banks, insurance companies and other financial services entities - but also reached charities that had only a tangential connection to DFS through a section of the state’s Insurance Law.
Many charities, including colleges, universities, community foundations, religious institutions and health care providers, are subject to DFS’s regulation solely because they issue charitable gift annuities as part of their fundraising and development efforts. A charitable annuity allows a donor to make a charitable gift in exchange for a fixed annuity paid to the donor over his or her lifetime. Section 1110 of New York’s Insurance Law requires charitable entities exceeding a specified threshold of required reserved funds related to gift annuities ($1,000,000) to obtain a special permit from DFS to continue to issue gift annuities in the state. It was this permit from DFS that triggered application of the new cybersecurity regulation to New York’s nonprofit community.Charities that would have been subject to the cybersecurity rule solely through the special permit requirement urged DFS to exempt them, arguing they maintained only minimal personally identifiable information about donors for tax reporting purposes. In addition, they cited other cybersecurity mandates they followed associated with their respective industries that protected sensitive donor data, such as HIPAA and FERPA. The charities argued they were unfairly, and perhaps inadvertently, being covered by the new rule. Yesterday, DFS agreed, announcing a final cybersecurity regulation that included the requested exemption.