Banking Perspectives

Just another WordPress site

Second Quarter 2017

The Constitutionality of State Cybersecurity Regulations

Cybersecurity, Supervision and Enforcement

New York’s recent cybersecurity regulations have real-world implications in other states. Whether these and similar laws and regulations pass muster under the dormant Commerce Clause is, at this point, an open question.

by Matthew A. Schwartz and Corey Omer

On March 1, 2017, New York implemented new cybersecurity regulations governing the information security programs of New York-licensed financial services institutions. Because most of these financial services institutions rely on online systems that run across state lines, these regulations are sure to have implications that extend well beyond New York’s borders. Moreover, other states likely will follow New York’s lead by adopting their own cybersecurity regulations, which may or may not be similar in content and scope.

The prospect of a national patchwork of state cybersecurity regulations – all governing a medium that, as one court wryly noted, “does not recognize geographic boundaries”1 – raises the issue of whether such regulations violate the U.S. Constitution’s “dormant” Commerce Clause, which restricts states’ ability to discriminate against or unduly burden interstate commerce. In exploring this question, this article begins by laying out the current cybersecurity regulation landscape as it applies to financial services institutions operating in the United States. It then summarizes the key case law concerning the dormant Commerce Clause and its application to state laws that have sought to regulate the Internet. Finally, the article considers the constitutionality of state cybersecurity regulations under the dormant Commerce Clause.

Cybersecurity Regulation of Financial Services Institutions
Since the passage of the Gramm-Leach-Bliley Act of 1999 (GLBA), various federal authorities (including the Federal Reserve, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Securities and Exchange Commission, the National Credit Union Administration, the Federal Trade Commission, and the Commodity Futures Trading Commission) have overseen the data security of the vast majority of financial services institutions operating in the United States.2 The GLBA imposes on financial services institutions an “affirmative and continuing obligation to respect the privacy of [their] customers and to protect the security and confidentiality of those customers’ nonpublic personal information” through administrative, technical, and physical safeguards.3 Pursuant to the GLBA, these federal authorities have promulgated regulations requiring financial services institutions subject to their jurisdiction to meet these obligations and protect customer information, which of course includes information stored electronically, against anticipated threats and unauthorized access.4 Other federal authorities, such as the Consumer Financial Protection Bureau (CFPB), have also sought to enter the federal cyber-regulation fray.5

Until recently, state financial regulators have not tried to impose their own comprehensive data security regimes on entities they regulate.

Until recently, however, state financial regulators have not tried to impose their own comprehensive data security regimes on entities they regulate.6 This changed on March 1, 2017, when the New York Department of Financial Services’ (DFS) new cybersecurity regulations came into effect.7 The regulations – which the DFS has touted as “first-in-the-nation” for any state regulator8 – impose a broad range of obligations on “Covered Entities,” including, among other entities, New York-chartered banking institutions and New York branches of foreign banks.9

Among other things, the regulations require covered entities to:

  • establish a robust “cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems”;10
  • “conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program”;11
  • “implement and maintain a written policy or policies … setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems”;12
  • “establish a written incident response plan designed to promptly respond to, and recover from, any [material] Cybersecurity Event”;13
  • “limit user access privileges to Information Systems that provide access to Nonpublic Information”;14
  • “designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy”;15
  • maintain “effective continuous monitoring” or conduct “annual Penetration Testing” and “bi-annual vulnerability assessments” of the covered entity’s information systems;16
  • “implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest”;17 and
  • “[a]nnually … submit to the [DFS] a written statement covering the prior calendar year … certifying that the Covered Entity is in compliance with the requirements set forth in [the regulations].”18

The Dormant Commerce Clause
Article 1, Section 8, Clause 3 of the U.S. Constitution grants Congress the power to “regulate Commerce with foreign nations, and among the several states, and with the Indian tribes.”19 Although this provision, commonly referred to as the Commerce Clause, is phrased as an affirmative grant of power to Congress to regulate commerce that flows across jurisdictions, the U.S. Supreme Court recognized as early as 182420 that this language “contains a further, negative command, known as the dormant Commerce Clause that create[s] an area of trade free from interference by the States.”21 Stated differently, states may not regulate interstate commerce regardless of whether Congress has enacted laws prohibiting them from doing so. Indeed, imposing such a “negative” limitation on states’ authority to regulate commerce was “a central concern of the Framers that was an immediate reason for calling the Constitutional Convention: the conviction that in order to succeed, the new Union would have to avoid the tendencies toward economic Balkanization that had plagued relations among the Colonies and later among the States under the Articles of Confederation.”22

Despite its critics,23 and a somewhat meandering jurisprudential history, courts have generally analyzed the “dormant” or “negative” Commerce Clause under a two-pronged framework. First, where a state law “clearly discriminates against interstate commerce” in favor of intrastate commerce, the law “will be struck down unless the discrimination is demonstrably justified by a valid factor unrelated to economic protectionism.”24 Pursuant to this prong of the dormant Commerce Clause doctrine, “where simple economic protectionism is effected by state legislation, a virtually per se rule of invalidity has been erected. The clearest example of such legislation is a law that overtly blocks the flow of interstate commerce at a State’s borders.”25

Second, where a state law “regulates even-handedly to effectuate a legitimate local public interest, and its effects on interstate commerce are only incidental,” courts will nevertheless strike the law down if “the burden imposed on such commerce is clearly excessive in relation to the putative local benefits.”26 Pursuant to this second prong, which has come to be known as the “Pike balancing test,” “[i]f a legitimate local purpose is found, then the question becomes one of degree. And the extent of the burden that will be tolerated will of course depend on the nature of the local interest involved, and on whether it could be promoted as well with a lesser impact on interstate activities.”27

Although the U.S. Supreme Court has not considered the implication of the dormant Commerce Clause for states’ Internet regulations, a number of lower federal and state courts have done so.

The U.S. Supreme Court has recognized, however, that “there is no clear line separating the category of State regulation that is virtually per se invalid under the Commerce Clause, and the category subject to the [Pike] balancing approach. In either situation the critical consideration is the overall effect of the statute on both local and interstate activity.”28 It is in this unclear expanse between per se invalidity and undue burden that at least two additional aspects of a challenged state law have proven potentially determinative to the dormant Commerce Clause inquiry: (a) whether the law regulates beyond the state’s borders, and (b) whether the statute leads to inconsistent regulatory burdens. These aspects have been variously treated by the courts as factors under the Pike balancing test, or as separate and independent tests under the dormant Commerce Clause doctrine.29

The dormant Commerce Clause’s application to laws that “directly control[] commerce occurring wholly outside the boundaries of a State”30 – commonly known as the extraterritoriality doctrine – has been characterized as possibly “the least understood of the Court’s … strands of dormant commerce clause jurisprudence.”31 In the case of Healy v. Beer Institute, the U.S. Supreme Court synthesized its key precedents regarding the extraterritoriality doctrine,32 explaining that “the Commerce Clause … precludes the application of a state statute to commerce that takes place wholly outside of the State’s borders, whether or not the commerce has effects within the State.”33 As a result, “a statute that directly controls commerce occurring wholly outside the boundaries of a State exceeds the inherent limits of the enacting State’s authority and is invalid regardless of whether the statute’s extraterritorial reach was intended by the legislature.”34 The “critical inquiry” in this regard “is whether the practical effect of the regulation is to control conduct beyond the boundaries of the State,” which is “evaluated not only by considering the consequences of the statute itself, but also by considering how the challenged statute may interact with the legitimate regulatory regimes of other States and what effect would arise if not one, but many or every, State adopted similar legislation.”35 The court noted that, “[g]enerally speaking, the Commerce Clause protects against inconsistent legislation arising from the projection of one state regulatory regime into the jurisdiction of another State.”36

Courts are likely to consider closely the extraterritorial implications and risk of inconsistent regulatory burdens posed by state cybersecurity regulations.

In the years since Healy, courts have continued to invalidate “regulation[s] that ha[ve] the practical effect of controlling commerce that occurs entirely outside of the [enacting] state.”37Recently, for example, the Seventh Circuit invalidated an Indiana law that regulated “how out-of-state manufacturers [of e-cigarettes] must build and secure their facilities, operate assembly lines, clean their equipment, and contract with security providers, if any of their products are sold in Indiana.”38

The U.S. Supreme Court and lower courts have also, on occasion, “invalidated state laws under the dormant Commerce Clause that appear to have been genuinely nondiscriminatory” but that “undermined a compelling need for national uniformity in regulation.”39 Laws struck down under this principle have typically been those that risk subjecting a means of interstate commerce, such as rail and highway traffic, to inconsistent state regulations.40 Importantly, some courts have held that “state laws which merely create additional, but not irreconcilable, obligations are not considered to be ‘inconsistent’ for this purpose.”41

Regulation of the Internet Pursuant to the Dormant Commerce Clause
As courts have recognized, there is little doubt that “as both the means to engage in commerce and the method by which transactions occur, ‘the Internet is an instrumentality and channel of interstate commerce.’”42 “[R]egulation of the Internet” thus “impels traditional Commerce Clause considerations.”43

Although the U.S. Supreme Court has not considered the implication of the dormant Commerce Clause for states’ Internet regulations, a number of lower federal and state courts have done so. One line of cases that is often traced back to the seminal case American Libraries Association v. Pataki suggests that state laws that regulate the Internet are very likely to violate the dormant Commerce Clause.44 In Pataki, a New York federal court held that a New York statute making it a crime to disseminate certain materials deemed harmful to minors violated the dormant Commerce Clause for three reasons. First, the court found that, because “[t]he nature of the Internet makes it impossible to restrict the effects of the New York Act to conduct occurring within New York” and “New York has deliberately imposed its legislation on the Internet,” the state had impermissibly “projected its law into other states whose citizens use the Net,” and had thereby violated the dormant Commerce Clause’s extraterritoriality doctrine.45

Second, the court concluded that, under the Pike balancing test, the burdens the statute imposed on interstate commerce exceeded the statute’s local benefits.46 Although the court accepted “that the protection of children against pedophilia is a quintessentially legitimate state objective,” it found that “[t]he local benefits likely to result from the [statute] are not overwhelming” given that the statute would “have no effect on communications originating outside the United States,” the prosecution of out-of-state parties who allegedly violate the statute “is beset with practical difficulties,” and other New York statutes exist to “protect children against sexual exploitation.”47 By contrast, the court reasoned that the statute would impose “an extreme burden on interstate commerce” by chilling Internet communications, requiring users to self-censor or risk prosecution, and imposing excessive costs on users attempting to comply with the statutes’ defenses.48

Third, the court held that the statute “unconstitutionally subjects interstate use of the Internet to inconsistent regulation.”49 The court reasoned that “[t]he Internet, like … rail and highway traffic … requires a cohesive national scheme of regulation so that users are reasonably able to determine their obligations. Regulations on the local [l]evel, by contrast, will leave users lost in a welter of inconsistent laws, imposed by different states with different priorities.”50 Such “inconsistent regulatory schemes could paralyze the development of the Internet altogether” as users, who have no ability to “bypass any particular state” online, would be required to “comply with the regulation imposed by the state with the most stringent standard or [forgo] Internet communication.”51

A number of federal courts have adopted or endorsed part or all of the Pataki analysis to invalidate state statutes regulating the dissemination of content online.52 Courts have, however, declined to extend the Pataki analysis to state statutes that regulate online communications aimed at individuals within the regulating state, such as email, rather than all online conduct. For instance, Washington and Maryland courts have each upheld their respective state’s statute regulating the content of unsolicited emails (known as “anti-spam laws”), because the statute applied only to advertisers that either used equipment located in the state or sent prohibited online communications to someone the advertiser knew or should have known was a resident of the state.53

Moreover, with the development of geolocation technology, some courts have held that even state laws regulating websites – such as a California statute that would require a news provider to provide closed captioning for online videos – do not violate the extraterritoriality doctrine, because the news provider “could enable a captioning option for California visitors to its site, leave the remainder unchanged, and thereby avoid the potential for extraterritorial application of the [statute].”54 “Healy,” one court has noted, “does not address whether a statute violates the commerce clause when a defendant can comply with a statute in such a way as to avoid extraterritorial application,” and “[c]ourts have held that when a defendant chooses to manufacture one product for a nationwide market, rather than target its products to comply with state laws, defendant’s choice does not implicate the commerce clause.”55Finally, some “courts have upheld state laws regulating the internet by reasoning that the statute was intended to apply only to local conduct, or that the state would enforce the law only against conduct occurring within the state.”56

The Constitutionality of States’ Regulation of Cybersecurity Pursuant to the Dormant Commerce Clause
State regulation of financial services institutions’ cybersecurity implicates a range of dormant Commerce Clause considerations, including extraterritoriality, the risk of inconsistent regulation, and the significant burden that a patchwork of state cybersecurity regulations would impose on financial services institutions operating across multiple states and internationally. As a result – although state cybersecurity regulations to date do not appear to “clearly discriminate[] against interstate commerce”57 and would therefore likely withstand per se invalidity under the first prong of the dormant Commerce Clause doctrine – they are certain to face greater resistance under the second prong of the doctrine, the Pike balancing test. As part of the Pike analysis (or as independent prongs of the dormant Commerce Clause doctrine), courts are likely to consider closely the extraterritorial implications and risk of inconsistent regulatory burdens posed by state cybersecurity regulations. Let’s begin by considering these two implications and then proceed to discuss the balancing under Pike.

First, state cybersecurity regulations are virtually certain to trigger extraterritoriality concerns. For example, although the precise entities that will be considered “covered entities” and thus subject to the DFS’s cybersecurity regulations are not entirely clear in every case, the list likely includes New York-licensed branches, agencies, representative offices, subsidiaries, and other affiliates of financial services institutions chartered in other jurisdictions and operating in multiple jurisdictions nationally or internationally.58 To the extent the information systems of such New York-covered entities are intertwined with those of the larger financial services institutions to which they belong (a likely prospect), the larger financial services institutions may find themselves forced to either develop a separate cybersecurity program only for their New York-covered entities – a complicated and costly endeavor – or bring their entire groupwide system, regardless of how small a percentage of their business is conducted in New York, into compliance with the cybersecurity regulations. The former option may lead to the balkanization of information systems, while the “practical effect” of the latter may be to permit the DFS to regulate the adequacy of cybersecurity programs that extend far beyond New York and even the United States.59

In this respect, state cybersecurity regulations may be compared with the price-affirmation laws struck down in the cases of Healy and Brown-Forman Distillers. The laws at issue in those cases pegged in-state prices at which goods are sold to the lowest price charged for the same goods in other states and, in so doing, had “ripple effects in other states, effectively setting the price for a commodity in transactions outside the regulating state.”60 So, too, the DFS’s regulations could, in practice, “effectively set[]” the minimum standards for cybersecurity for entities operating entirely outside New York.

State regulators might push back on dormant Commerce Clause challenges by contending that state regulations like New York’s that are applicable only to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization”61 from a state regulator – and, therefore, presumably doing business in the state – do not regulate conduct “wholly” outside the state’s borders. For example, although the Seventh Circuit recently invalidated an Indiana law that regulated the facilities and operations of out-of-state e-cigarette manufacturers that sold their products in that state, the law applied to manufacturers regardless of whether they had any operations in Indiana.62Thus, it applied to commerce taking place “wholly” outside the state’s borders. By contrast, covered entities generally will have some operations in New York, and those with only minimal operations are exempted from several of the cybersecurity regulations’ more onerous requirements.63 (Note, however, that if the DFS attempts to apply the regulations to covered entities that have business activities – but no physical presence – in New York, such entities may have an even stronger claim that the regulations are impermissibly extraterritorial in their reach.) Moreover, a covered entity that chooses to adopt the cybersecurity program of a parent or affiliate may have difficulty in advancing an extraterritoriality claim if it could, without significant expense and effort, develop its own separate, local cybersecurity program. Even then, in certain narrow situations, courts have held that the “increased cost of complying with a regulation” that does not discriminate against out-of-state actors does not violate the dormant Commerce Clause, even if those costs may lead the out-of-state actor “to abandon the state’s market” entirely.64

Second, although the cybersecurity regulations are “first-in-the-nation,” they are unlikely to be the last and, therefore, pose a risk of inconsistent regulatory burdens on the Internet – an area several courts have acknowledged “requires a cohesive national scheme of regulation.”65 As other states consider adopting their own cybersecurity regulations, financial services institutions operating in multiple states will need to assess whether the state laws to which they are subject are likely to result in inconsistent and uncoordinated regulation. In this respect, the final version of the regulations – which on its face adopts a more flexible, risk-based approach – might be in a stronger position to survive constitutional scrutiny than the DFS’s initial-proposed version of the regulations, which was significantly more prescriptive.66

State risk-based regulations are also less likely to conflict with the cybersecurity frameworks that financial firms typically implement as a matter of best practice or supervisory expectation, including the National Institute of Standards and Technology’s Cybersecurity Framework and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, both of which promote risk-based approaches to cyber preparedness. It remains to be seen, however, how the DFS’s and other states’ cybersecurity regulations will be enforced in practice. Though flexible and somewhat amorphous in their language, such regulations, once applied, could generate just as much uncertainty and interstate conflict as more proscriptively phrased regulations.

Likewise, only time will tell whether inconsistencies will develop among the various states’ cybersecurity regulations. The New York regulations may serve as a model for other states, thereby decreasing the risk of conflicting regulatory burdens. The Cybersecurity (EX) Working Group of the National Association of Insurance Commissioners has, in fact, already approved certain changes to its draft Insurance Data Security Model Law based in part on the New York regulations.67 Moreover, one may expect cybersecurity regulations to be, at worst, cumulative rather than inconsistent, requiring financial services institutions to adhere to the strictest regulations from among those to which they are subject. For example, the Colorado Division of Securities recently proposed rules regarding cybersecurity requirements for broker-dealers and registered investment advisers that differ from the DFS Regulations in certain respects.68 As noted above, state regulations “which merely create additional, but not irreconcilable, obligations” might not be considered truly “inconsistent” for dormant Commerce Clause purposes.69 Nevertheless, the current patchwork of widely varying state breach notification requirements provides reason for pause. Indeed, in 2002, when California enacted the nation’s first state data breach notification law,70 few would have suspected that such laws would soon be adopted in nearly every state, and that the various state laws would not only diverge in critical respects but in some instances contradict one another.71

To the extent extraterritoriality and the risk of inconsistent regulations are considered under the Pike balancing test, the burdens discussed above that these considerations impose on interstate commerce would need to be balanced against state cybersecurity regulations’ putative local benefits. Given the meaningful cyberthreats faced by financial services institutions and the related risks posed both to states’ residents and financial systems, states have a meaningful interest in ensuring that financial services institutions operating within their borders adopt adequate cybersecurity measures. Nonetheless, this interest is diluted by at least three considerations. First, as noted in the first part of this article, the cybersecurity programs of the vast majority of financial services institutions operating in the United States – including state-chartered financial services institutions – are already subject to regulation and supervision by various federal authorities. Thus, in practice, state cybersecurity regulations may largely duplicate requirements already imposed on the same financial services institutions.72 Second, state cybersecurity regulations, including the New York regulations, do not apply to national banks and federally charted branches of foreign banks, which represent a large segment of the U.S. banking system. Thus, the potential scope of such regulations is necessarily limited to a segment of the financial services institutions operating in the enacting state – i.e., those chartered or licensed by the state – and to residents who choose to transact with those financial services institutions. Third, the extraterritorial application of state regulations and the interconnectedness of the Internet and information technology systems suggest that, in effect, many of those protected by a given state’s cybersecurity regulations may not be residents of that state. As the U.S. Supreme Court has explained, “[w]hile protecting local [banking customers] is plainly a legitimate state objective, the State has no legitimate interest in protecting nonresident [customers]. Insofar as the [State] law burdens out-of-state transactions, there is nothing to be weighed in the balance to sustain the law.”73

Conclusion
Whether state regulations of financial services institutions’ cybersecurity programs pass muster under the dormant Commerce Clause is an open question that will be answered as the regulatory regimes are developed. In any event, whether the Internet and cybersecurity “require” a cohesive national scheme of regulation within the meaning of the dormant Commerce Clause, there is little doubt that much could be gained from comprehensive federal guidelines or frameworks. The proliferation of state cybersecurity laws and regulations alongside the bevy of federal rules and guidance already in place would unnecessarily increase compliance costs and “divert resources away from genuine risk-based information security policies.”74 For entities operating across state lines, cybersecurity cannot easily or efficiently be addressed on a state-by-state basis. Cybersecurity, like the Internet, is geographically unbounded and, as such, requires serious consideration of a national solution.

About the Authors:

Matthew A. Schwartz is a partner in Sullivan & Cromwell LLP’s Litigation Group. He joined the firm in 2007 after clerking for Justice Samuel A. Alito Jr. of the U.S. Supreme Court. He was elected partner in 2011.  Schwartz’s wide-ranging practice comprises complex litigation, arbitration, and government investigations in the areas of bank regulation, securities law, mergers and acquisitions, derivative suits, antitrust, contracts, estates, and general commercial litigation.

Corey Omer is an associate in Sullivan & Cromwell LLP’s Litigation Group. He represents financial institutions and other corporations in a variety of complex civil litigations, arbitration and mediation proceedings, and government investigations. Omer also represents and advises clients with respect to insurance and cybersecurity matters, including post-data breach recovery.

Endnotes:

  1. Am. Booksellers Found. v. Dean, 342 F.3d 96, 103 (2d Cir. 2003).
  2. 15 U.S.C. § 6801(b) (directing certain federal financial regulatory agencies to “establish appropriate standards for the financial institutions subject to their jurisdiction relating to [data security]”).
  3. 15 U.S.C. §§ 6801(a)–(b).
  4. 15 U.S.C. § 6801(b). The CFTC was added as a federal financial regulator with responsibility for implementing GLBA’s Title V on privacy through the Commodity Futures Modernization Act of 2000. See Section 5g of the Commodity Exchange Act, 7 U.S.C. § 7b-2. Regulations implementing the data safeguards rule are at 12 C.F.R. § 30 (Office of the Comptroller of the Currency), § 208 (Federal Reserve System), § 364 (FDIC), § 748 (National Credit Union Administration); 16 C.F.R. § 314 (Federal Trade Commission); 17 C.F.R. § 160.30 (CFTC); and 17 C.F.R. § 248 (SEC). The federal banking agencies promulgated the “Interagency Guidelines for Safeguarding Consumer Information” through the Federal Financial Institutions Examination Council (FFIEC) and have supplemented the Interagency Guidelines with various guidance documents and bulletins. In 2015, the FFIEC released a Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness.
  5. On March 2, 2016, the CFPB brought a cybersecurity-related enforcement action against an online payment platform under its general authority to police unfair, deceptive, or abusive practices. See In the Matter of Dwolla, Inc., U.S. Consumer Financial Protection Bureau Administrative Proceeding File No. 2016-CFPB-007 (Feb. 27, 2016) (consent order).
  6. An exception to this rule is the regulation of insurance providers’ cybersecurity measures by state insurance regulators. In this regard, most state regulators have adopted, with little to no amendment, the National Association of Insurance Commissioners’ (NAIC) 2002 Standards for Safeguarding Customer Information Model Regulation. See Daniel Vinish & Ellen Farrell, “Cybersecurity and Consumer Data Privacy in the Insurance Sector: The Current Framework and a Look Ahead,” Bloomberg BNA (May 11, 2016).
  7. See Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500 (2017).
  8. Press Release, DFS, “Governor Cuomo Announces First-in-the-Nation Cybersecurity Regulation Protecting Consumers and Financial Institutions from Cyber-attacks to Take Effect March 1” (Feb. 16, 2017).
  9. N.Y. Comp. Codes R. & Regs. tit. 23, § 500.01(c) (2017). “Covered entities” are defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” The regulations provide for limited exemptions for covered entities with: (1) “fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity”; (2) “less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates”; or (3) “less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.” Id. § 500.19(a)(1)–(3).
  10. Id. § 500.02(a).
  11. Id. § 500.09(a).
  12. Id. § 500.03 (requiring covered entity’s cybersecurity policy to “be based on the Covered Entity’s Risk Assessment” and address 14 specified areas “to the extent applicable to the Covered Entity’s operations”).
  13. Id. § 500.16(a).
  14. Id. § 500.07.
  15. Id. § 500.04(a).
  16. Id. § 500.05.
  17. Id. § 500.15.
  18. Id. § 500.17(b).
  19. U.S. Const. art. I, § 8, cl. 3.
  20. See Gibbons v. Ogden, 22 U.S. 1 (1824); see also Willson v. Black-Bird Creek Marsh Co., 27 U.S. 245, 252 (1829) (explicitly recognizing dormant aspect of Commerce Clause).
  21. Am. Trucking Assoc., Inc. v. Mich. Pub. Service Comm’n, 545 U.S. 429, 433 (2005) (alteration in original) (internal quotation marks and citations omitted).
  22. Hughes v. Oklahoma, 441 U.S. 322, 325 (1979).
  23. Recently, in Comptroller of Treasury of Maryland v. Wynne, 135 S. Ct. 1787 (2015), the late Justice Scalia and Justice Thomas penned separate dissents criticizing the dormant Commerce Clause doctrine. Justice Scalia called the doctrine “a judge-invented rule” and “a judicial fraud,” idat 1807–08, while Justice Thomas argued that “the negative Commerce Clause has no basis in the text of the Constitution, makes little sense, and has proved virtually unworkable in application,” idat 1811 (internal quotation marks omitted).
  24. Wyoming v. Oklahoma, 502 U.S. 437, 454 (1992) (internal citations omitted) (holding unconstitutional Oklahoma legislation requiring that Oklahoma coal-fired electric generating plants producing power for sale in Oklahoma burn mixture of coal containing at least 10% Oklahoma-mined coal).
  25. City of Philadelphia v. New Jersey, 437 U.S. 617, 624 (1978) (internal citations omitted) (holding unconstitutional New Jersey statute prohibiting the importation of most “solid or liquid waste which originated or was collected outside the territorial limits of the State”).
  26. Pike vBruce Church, Inc., 397 U.S. 137, 142 (1970); see Brown-Forman Distillers Corp. v. N.Y. State Liquor Auth., 476 U.S. 573, 579 (1986) (Where a statute has “only indirect effects on interstate commerce and regulates evenhandedly, we have examined whether the State’s interest is legitimate and whether the burden on interstate commerce clearly exceeds the local benefits.”).
  27. Pike, 397 U.S. at 142.
  28. Brown-Forman Distillers, 476 U.S. at 579.
  29. With respect to the extraterritoriality doctrine, see, e.g., SPGGC, LLC v. Blumental, 505 F.3d 183, 193 (2d Cir. 2007) (“We have analyzed the extraterritorial effects of state regulations as a form of excessive burden under the Pike balancing test and also as a basis for per se invalidity.” (internal citations omitted)); Int’l Dairy Foods Ass’n v. Boggs, 622 F.3d 628, 645 (6th Cir. 2010) (recognizing extraterritoriality to be “a second category of regulation that is also virtually per se invalid under the dormant Commerce Clause” and collecting cases from other circuit courts reaching same conclusion).
  30. Healy v. Beer Inst., Inc., 491 U.S. 324, 336 (1989).
  31. Energy & Env’t Legal Inst. v. Epel, 793 F.3d 1169, 1172 (10th Cir. 2015), cert. denied, 136 S. Ct. 595 (2015).
  32. These key precedents were Baldwin v. G.A.F. Seelig, Inc., 294 U.S. 511 (1935); Edgar v. MITE Corp., 457 U.S. 624 (1982); and Brown-Forman Distillers, 476 U.S. at 573.
  33. Healy, 491 U.S. at 336 (alteration in original) (internal quotation marks omitted).
  34. Id.
  35. Id.
  36. Id. at 336–37.
  37. Int’l Dairy Foods Ass’n, 622 F.3d at 645–46 (collecting cases from eight Circuit Courts of Appeals recognizing extraterritoriality doctrine as basis for finding state statute unconstitutional pursuant to dormant Commerce Clause).
  38. Legato Vapors, LLC v. Cook, 847 F.3d 825, 830 (7th Cir. 2017).
  39. Gen. Motors Corp. v. Tracy, 519 U.S. 278, 298 n.12 (1997) (collecting cases); see also CTS Corp. v. Dynamics Corp. of Am., 481 U.S. 69, 88 (1987) (“This Court’s recent Commerce Clause cases also have invalidated statutes that may adversely affect interstate commerce by subjecting activities to inconsistent regulations.”).
  40. See, e.g., Wabash, St. L. & P.R. Co. v. Illinois, 118 U.S. 557 (1886) (holding states cannot regulate railroad rates); So. Pac. Co. v. Arizona ex rel. Sullivan, 325 U.S. 761, 767 (1945) (holding states cannot regulate train length); Morgan v. Virginia, 328 U.S. 373, 386 (1946) (invalidating state law that required reseating of passengers on interstate buses to comply with local segregation law).
  41. See Instructional Sys’s, Inc. v. Computer Curriculum Corp., 35 F.3d 813, 826 (3rd Cir. 1994).
  42. United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir. 2007) (quoting United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007) (per curiam)).
  43. Am. Libraries Ass’n v. Pataki, 969 F. Supp. 160, 173 (S.D.N.Y. 1997).
  44. See id.
  45. Id. at 177.
  46. Id. at 177–81.
  47. Id. at 177–79.
  48. Id. at 179–81.
  49. Id. at 181.
  50. Id. at 182.
  51. Id. at 181, 183.
  52. See, e.g., PSINet, Inc. v. Chapman, 362 F.3d 227, 239–40 (4th Cir. 2004) (enjoining enforcement of Virginia pornographic communication law at preliminary injunction stage, in part based on dormant Commerce Clause); ACLU v. Johnson, 194 F.3d 1149, 1160–62 (10th Cir. 1999) (invalidating New Mexico statute criminalizing dissemination by computer of materials harmful to a minor).
  53. See MaryCLE, LLC v. First Choice Internet, Inc., 890 A.2d 818, 844 (Md. Ct. Spec. App. 2006); Washington v. Heckel, 23 P.3d 404, 412–13 (Wash. 2001). A number of courts have also distinguished Pataki where a state law includes as an element “luring” the minor into certain contact or knowledge that the minor is located in the relevant state. See, e.g., People v. Foley, 692 N.Y.S.2d 248, 255–57 (App. Div. 1999) (upholding statute barring the use of the Internet to lure minors).
  54. Greater L.A. Agency on Deafness, Inc. v. Cable News Network, Inc., 742 F.3d 414, 433 (9th Cir. 2014); see also Nat’l Fed’n of the Blind v. Target Corp., 452 F. Supp. 2d 946, 961 (N.D. Cal. 2006) (upholding same California statute on ground that “Target could choose to make a California-specific website” and noting that the Pataki court’s assertion that “someone who puts content on the internet has ‘no way to determine the characteristics of their audience …[such as] age and geographical location’ … is simply incorrect” (quoting Pataki, 969 F. Supp. at 167)).
  55. Nat’l Fed’n of the Blind, 452 F. Supp. 2d at 961.
  56. Id. at 959 (collecting cases).
  57. Wyoming, 502 U.S. at 454.
  58. The DFS’s responses to “frequently asked questions” concerning the Regulations provide that “DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks [are] required to comply with 23 NYCRR Part 500.” DFS, “Frequently Asked Questions Regarding 23 NYCRR Part 500.” The DFS explains that, “in such cases, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of 23 NYCRR Part 500, whether through the branch’s, agency’s or representative office’s development and implementation of its own cybersecurity program or through the adoption of an Affiliate’s cybersecurity program.” Id.
  59. See Healy, 491 U.S. at 336.
  60. Legato Vapors, LLC, 847 F.3d at 831 (citing Healy, 491 U.S. 324; Brown-Forman Distillers, 476 U.S. 573).
  61. N.Y. Comp. Codes R. & Regs. tit. 23, § 500.01(c) (2017).
  62. Legato Vapors, LLC, 847 F.3d 825.
  63. See supra note 9; N.Y. Comp. Codes R. & Regs. tit. 23, § 500.19(a)(1)–(3) (2017).
  64. Nat’l Elect. Mfrs. Assoc. v. Sorrell, 272 F.3d 104, 111 (2d Cir. 2001) (upholding Vermont law imposing product-labeling requirements for in-state sales of light bulbs, even when the product is produced out-of-state). Likely important in this respect is whether the court considers a financial services institution’s withdrawal from the regulating state to have a “special, disproportionate injury to interstate commerce” and residents of other states. Id. As the Court explained in Sorrell, “[i]f lamp manufacturers were to withdraw from the Vermont market, only Vermont residents would feel any appreciable effect, in the lost utility of mercury-bearing bulbs.” Id. By contrast, the considerations are quite different in cases involving state restrictions on interstate transport. “Transporters forced either to abide by state rules or avoid the state entirely would necessarily be impeded, if they chose the latter course, in their efforts to conduct commerce with the surrounding states because they would be unable to pass through the regulating state.” Id. at 112.
  65. Pataki, 969 F. Supp. at 182; see also, e.g., Am. Booksellers Found., 342 F.3d at 103 (noting that, “[b]ecause the internet does not recognize geographic boundaries, it is difficult, if not impossible, for a state to regulate internet activities without project[ing] its legislation into other states” (second alteration in original) (internal quotation marks omitted)); Backpage.com, LLC v. McKenna, 881 F. Supp. 2d 1262, 1285–86 (W.D. Wash. 2012) (noting “the Internet is likely a unique aspect of commerce that demands national treatment”).
  66. For example, while the initial proposed regulations released by the DFS on September 13, 2016 imposed relatively rigid requirements concerning data retention and destruction, monitoring and testing, access privileges, multifactor authentication, and encryption, the final Regulations issued on February 16, 2017 ease some (though not all) of these requirements and tie others to the Covered Entity’s risk assessments. These changes were largely the product of comments received by the DFS during a 45-day notice and public comment period on the initial proposed regulations. See, e.g., Comment Letter from Gregg Rozansky on behalf of The Clearing House to Cassandra Lentchner (Nov. 14, 2016), (urging DFS to adopt more flexible, risk-based approach).
  67. See, e.g., NAIC, Redline of Version 4 of Draft Insurance Data Security Model Law Against Version 3 §§ 3, 4, 9 (Apr. 26, 2017), (showing changes to certain provisions of Draft Insurance Data Security Model Law that render those provisions similar or identical to the New York regulations).
  68. The proposed Colorado rules provide that, “[i]n determining whether the cybersecurity procedures are reasonably designed, the [Colorado Securities Commissioner] may consider … [t]he automatic locking of devices used to conduct the firm’s electronic security” and “[t]he firm’s process for reporting of lost or stolen devices.” The proposed rules also provide that “[t]o the extent reasonably possible, the cybersecurity procedures must provide for . . . [p]rocedures for authenticating client instructions received via electronic communication” and “[d]isclosure to clients of the risks of using electronic communications.” None of these cybersecurity measures is specifically referenced in, let alone required by, the New York regulations. Moreover, many of the requirements in the New York regulations are not mirrored in the proposed Colorado rules. Compare Colorado Division of Securities, Notice of Proposed Rulemaking Under 3 Colo. Code Regs. § 704-1 (Mar. 6, 2017), §§ 51-4.8(A)(6)–(7), (C)(4)–(5) (rules applicable to broker-dealers) and id. §§ 51-4.14(IA)(A)(6)–(7), (C)(4)–(5) (rules applicable to investment advisors), with N.Y. Comp. Codes R. & Regs. tit. 23, § 500.03 (areas that must be covered by cybersecurity policy).
  69. See Instructional Sys’s, Inc., 35 F.3d at 826.
  70. See California S.B. 1386, Cal. Civ. Code §§ 1798.29, 1798.82.
  71. Compare Mass. Data Breach Notification Law, Mass. Gen. Law ch. 93H § 3(b) (providing that notice of breach to residents of Massachusetts “shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use”), with Fl. Stat. § 501.171(4)(e) (providing that “[t]he notice to an individual with respect to a breach of security shall include, at a minimum … [a] description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security”).
  72. See Dixie Dairy Co. v. City of Chicago, 538 F.2d 1303, 1310 (7th Cir. 1976) (holding Chicago ordinance that required out-of-state dairy producers selling their milk in Chicago to submit to on-site inspections by the Chicago Board of Health to be unconstitutional under Pike balancing test because Chicago inspections were duplicative of those conducted by other states, which were sufficient to “fully protect Chicago’s health interest” and “in fact the ordinance has no appreciable effect in promoting [Chicago’s health interest]”).
  73. Edgar, 457 U.S. at 644.
  74. Comment letter from Bill Himpler on behalf of the American Financial Services Association in response to the Federal Trade Commission’s call for public comment on the Standards for Safeguarding Customer Information, 16 CFR 314, Project No. P145407 (Nov. 21, 2016) (urging FTC to preempt state data security laws).

Related Blog Posts