Many businesses have used the Massachusetts WISP as a model to create a written data security program that not only complies with Massachusetts law but can be used to respond to customer requests for such written data security policies and to require vendors handling data to have the same or similar programs in place. New York On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Violations of the SHIELD Act are considered deceptive acts or practices and may be enforced by the New York Attorney General. Covered businesses may be liable for a civil penalty of up to $5,000 dollars per violation. In March 2017, the New York State Department of Financial Services (DFS) issued sweeping new cybersecurity regulations with an unprecedented level of accountability for senior management. The regulations impact financial institutions, insurance companies, health plans, and charitable institutions, and can affect organizations outside of New York. Under the new rules, covered entities must appoint a qualified staff member as Chief Information Security Officer (CISO) to implement and enforce a comprehensive cybersecurity program and policy. The CISO must perform periodic Risk Assessments to assess the confidentiality, integrity, security, and availability of the organization’s information systems and nonpublic information. Based on this assessment, the CISO must then develop a thorough cybersecurity program which must, at a minimum: (1) identify internal and external cyber risks; (2) use defensive infrastructure and the implementation of policies and procedures to protect information systems and nonpublic information; (3) detect cybersecurity events; (4) respond to, detect, and mitigate the effects of cybersecurity events; (5) recover from cybersecurity events; and (6) fulfill regulatory reporting
131
Made with FlippingBook - Online Brochure Maker