The New York Department of Financial Services recently published proposed regulations which would require virtual currency businesses operating in New York State to safeguard data and protect customer privacy.

Notably, the proposed regulations include requirements for virtual currency business to maintain cyber security programs and business continuity and disaster recovery plans.

Virtual currencies under the regulations include decentralized digital currencies (such as Bitcoin), as well as centrally issued or administered digital currencies and those that can be created by computerized or manufacturing effort (e.g. Bitcoin mining). Virtual currencies would not include digital units used in online gaming platforms that are of no value outside the gaming environment, nor would they include affinity and rewards program points that cannot be converted or redeemed for government issued currency.

Cyber security programs, very similar to written information security programs which we have previously discussed, would be required to be in writing and must ensure the availability and functionality of the business’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program must perform five core cyber security functions:

  1. identify internal and external cyber risks;
  2. protect the business’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts;
  3. detect systems intrusions, data breaches, unauthorized access to systems or information, malware, and other Cyber Security Events;
  4. respond to detected Cyber Security Events to mitigate any negative effects; and
  5. recover from Cyber Security Events and restore normal operations and services.

Similarly, the cyber security policy must address the following areas:

  1. information security;
  2. data governance and classification;
  3. access controls;
  4. business continuity and disaster recovery planning and resources;
  5. capacity and performance planning;
  6. systems operations and availability concerns;
  7. systems and network security;
  8. systems and application development and quality assurance;
  9. physical security and environmental controls;
  10. customer data privacy;
  11. vendor and third-party service provider management;
  12. monitoring and implementing changes to core protocols not directly controlled by the business, as applicable; and
  13. incident response.

Some other key provisions of the cyber security program include the identification of a Chief Information Security Officer (“CISO”) — who is responsible for overseeing and implementing the cyber security program and enforcing its cyber security policy — as well as audit functions, which include annual penetration testing of the business’s electronic systems and audit trail systems to track and maintain data.

A 45-day public comment period began upon the publication of the proposed regulations.