2024 was not a happy new year for Genesis Global Trading, Inc. (“GGT”).  On January 3, 2024, the New York Department of Financial Services announced a consent order with GGT, where GGT agreed to pay NYDFS $8 million and to surrender its BitLicense (for cryptocurrency trading), due to alleged violations of NYDFS’ cybersecurity and its virtual currency regulations.  This post will focus on the cybersecurity regulation issues.  (For more information about the crypto and financial services/regulation aspects, please see https://www.nortonrosefulbright.com/en/knowledge/publications/4c9650ae/2023-crypto-round-up

Background

NYDFS granted GGT a license to conduct a non-custodial cryptocurrency exchange business, which meant GGT was subject to NYDFS’ virtual currency regulation and its cybersecurity regulation.  NYDFS conducted its first audit of GGT for the period of May 17, 2018 through March 31 2019.  NYDFS found violations of both the cybersecurity and virtual currency regulations. 

NYDFS conducted its second audit for the period April 1, 2019 through March 31, 2022.  According to the consent, NYDFS “determined that, while GGT’s business had grown significantly during this period, little effort or resources had been directed to addressing the deficiencies identified in the First Exam. In fact, the Second Exam identified further compliance failures with respect to the Virtual Currency Regulation and the Cybersecurity Regulation.”

Cybersecurity Regulation

NYDFS found a number of issues with respect to GGT’s lack of compliance with the cybersecurity regulation, starting with the required risk assessment.  NYDFS characterized the risk assessment as “the foundation of a Covered Entity’s cybersecurity program,” (¶ 29)  adding that it “serves to inform the design of the cybersecurity policies,” which the entity’s Board must approve. (¶30)

Not only was the assessment “years late,” NYDFS  said that it “was not sufficiently comprehensive and did not include identification of areas, systems, or processes that required material improvement, updating, or redesign, or plans for enhancing GGT’s cybersecurity program to achieve full compliance with the requirements of the” cybersecurity regulation.  (¶31)  The risk assessment did not allow for revisions due to changes in threats and technological developments, nor did it “adequately consider the cybersecurity risks to GGT’s business operations including NPI collected or stored on Information Systems and the inadequate controls in place to protect” GGT’s systems. (¶ 32)

NYDFS also found the GGT did not address asset inventory and device management, nor did GGT include the requirement to notify NYDFS within 72 hours of a cybersecurity incident (¶ 35).  GGT’s business continuity/disaster recovery plan “still lacked sufficient BCDR procedures to address certain cybersecurity requirements.”  (¶ 36)  NYDFS also found that GGT’s employees were not “sufficiently trained” on their roles under the BCDR policy and there was no annual testing.  (¶ 36)  

Data and Over-Retention

NYDFS then demonstrated how inter-connected the cybersecurity regulation’s requirements are with respect to data.  NYDFS found that GGT’s data classification policies and procedures “were incomplete, thus resulting in significant concerns regarding GGT’s ability to adequately assess its compliance with the Cybersecurity Regulation’s access privilege, data disposal, and encryption requirements.  These issues, in turn, prevented GGT from effectively limiting access to sensitive information.”  (¶37, citations omitted)

The second NYDFS audit found that GGT had never established policies and procedures for the periodic secure disposal of non-public personal information.  (¶ 39)  “In fact, data in critical applications was stored indefinitely and there was no process in place for categorizing and purging data that is no longer necessary to store, despite the clear requirements” in the cybersecurity regulation (¶ 39)  In addition “due to the lack of a data classification policy, there were no means to ensure that all sensitive data and NPI were identified and encrypted as required by” the cybersecurity regulation. ( ¶ 40)

GGT has 10 days to pay the $8 million penalty (¶ 61) and it has agreed to surrender its virtual currency business license. ( ¶66)

Our Take

As we have previously written, regulators are giving increasing attention to the over-retention of data and have been leaning on it to levy fines.  Here, similar to the FTC’s settlement described in the link above, GGT had over-retained personal information, but that it had no plan to remediate the issue and, in fact, was indefinitely retaining data for no documented business purpose.  Companies should focus on establishing and implementing a reasonable information governance policy and record retention schedule with special emphasis on documents that contain personal information.

Even where implementing such policies and programs in the near term is difficult – much less actively disposing of data at scale –companies can put themselves in a better position by having a working framework and a path to substantial completion.  Moreover, organizations should focus more on actually changing behavior and getting actual data deleted, than over-tuning policies and schedules.  Whether a document category should be kept for 6 or 7 years is not as significant a decision as actually working to teach employees and systems stop retaining data indefinitely.  A database that deletes data systematically after 10 years is good, but undermined if employees routinely download the information to fileshares and OneDrive and retain the information indefinitely.