DFS-Compliant Cybersecurity Policy for CCRCs
LeadingAge New York is urging lawmakers to support A.1185 (Cahill), legislation that would permit Continuing Care Retirement Communities (CCRCs) to adopt written cybersecurity policies and self-certify that such policies are not inconsistent with the goals of the cybersecurity regulations promulgated by the Department of Financial Services (DFS) in 2017.
DFS's final regulations, effective as of March 1, 2017, require most banks, insurers, and other financial institutions within DFS's regulatory jurisdiction to protect their customer information from cyberattacks. All covered entities are also required to annually certify to DFS that they are complying with the regulations, with the first yearly compliance certification due February 15, 2018. Although CCRCs obtain their certificates of authority from the CCRC Council under Article 46 of the Public Health Law and do not operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization from DFS, the agency clarified in writing for the first time in mid-February 2018 that CCRCs are considered covered entities and are subject to the regulations.
New York's CCRCs are much smaller than most financial institutions and insurers that are subject to these regulations. The average CCRC has a total annual operating budget of approximately $20 million. Unlike banks and most insurers, which transact with thousands of customers—often through e-commerce—CCRCs typically collect funds from only 200 to 400 prospective and existing residents in the form of deposits, entrance fees, and monthly fees. Moreover, as health care providers, CCRCs are already subject to standards for privacy of individually identifiable health information under all applicable laws, including those governing technology, security, and privacy, and corresponding regulations.
Enter your information below to contact your lawmakers, urging them to support A.1185 (Cahill). You can also access LeadingAge NY's memo of support here.