requirements. Again, based on the Risk Assessment, the CISO must also develop a comprehensive cybersecurity policy for the organization, detailing areas such as data governance, access controls and identity management, systems and network security, and incident response. While these regulations are somewhat flexible, in that they allow for modification based on the particular risks faced by any given organization, they are also extensive and highly detailed. Minnesota companies that may at any time be regulated by the New York DFS should carefully monitor these regulations and stay up to date with any newly-issued guidance. Other State Privacy and Breach Notification Laws Following extensive fears of identity theft and highly publicized data security breaches, most states, including Minnesota, passed laws requiring consumer notification when a security breach involving private information occurs. While there continues to be discussion about the need for a comprehensive federal law that would preempt the patchwork of state laws and create a uniform standard, as of the publication of this Guide, there is no such federal breach notification statute. A Minnesota business is therefore still required to comply with multiple state laws in the event of a data breach that involves the personal information of residents of other states. State Breach Notification Laws Minnesota and all other states have enacted laws that require notification to individuals in the event of a security breach of sensitive or personal information. These laws usually cover any businesses that conduct business in the state and own, license, or maintain information covered by the statute (usually defined as the person’s name, combined with their social security number, driver’s license number, or credit and banking account information), regardless of the size of the business.
132
Made with FlippingBook - Online Brochure Maker