Specific technical safeguards are identified such as secure authentication protocols, secure access control measures, and encryption of personal information stored on laptops and mobile devices or any files or records that contain personal information and that may be transmitted across a public network. A Minnesota business may have to pay attention to these Massachusetts data security laws and regulations if they collect any personal information of a Massachusetts resident. Many businesses have used the Massachusetts WISP as a model to create a written data security program that not only complies with Massachusetts law but can be used to respond to customer requests for such written data security policies and to require vendors handling data to have the same or similar programs in place. New York On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Violations of the SHIELD Act are considered deceptive acts or practices and may be enforced by the New York Attorney General. Covered businesses may be liable for a civil penalty of up to $5,000 dollars per violation. In March 2017, the New York State Department of Financial Services (DFS) issued sweeping new cybersecurity regulations with an unprecedented level of accountability for senior management. The regulations impact financial institutions, insurance companies, health plans, and charitable institutions, and can affect organizations outside of New York. Under the new rules, covered entities must appoint a qualified staff member as Chief Information Security Officer (CISO) to implement and enforce a
124
Made with FlippingBook - Online Brochure Maker