When the first public data breach occurred in 2005, there was little to no legal oversight in place. In response to data breaches, the threat actors typically garnered the exclusive responsibility. As the law has evolved and data security incidents have become more common, public and regulatory sentiment has shifted from blaming the threat actor toward holding the victim company accountable based on its purportedly deficient cybersecurity program.
While the sufficiency of these programs were previously subject to subjective “reasonableness” standards, an “acceptable” cybersecurity program has become more objective as regulators, such as the New York Department of Financial Services (NYDFS), continue to implement, amend and mature applicable laws, laying out clear standards and expectations as described below.