New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Violations of the SHIELD Act are considered deceptive acts or practices and may be enforced by the New York Attorney General. Covered businesses may be liable for a civil penalty of up to $5,000 dollars per violation. In March 2017, the New York State Department of Financial Services (DFS) issued sweeping new cybersecurity regulations with an unprecedented level of accountability for senior management. The regulations impact financial institutions, insurance companies, health plans, and charitable institutions, and can affect organizations outside of New York. Under the new rules, covered entities must appoint a qualified staff member as Chief Information Security Officer (CISO) to implement and enforce a comprehensive cybersecurity program and policy. The CISO must perform periodic Risk Assessments to assess the confidentiality, integrity, security, and availability of the organization’s information systems and nonpublic information. Based on this assessment, the CISO must then develop a thorough cybersecurity program which must, at a minimum: (1) identify internal and external cyber risks; (2) use defensive infrastructure and the implementation of policies and procedures to protect information systems and nonpublic information; (3) detect cybersecurity events; (4) respond to, detect, and mitigate the effects of cybersecurity events; (5) recover from cybersecurity events; and (6) fulfill regulatory reporting requirements. Again, based on the Risk Assessment, the CISO must also develop a comprehensive cybersecurity policy for the organization, detailing areas such as data governance, access controls and identity management, systems and network security, and incident response. While these regulations are somewhat flexible, in that they allow for modification based on the particular risks faced by any given organization, they are also extensive and highly detailed. Minnesota companies that may at any time be regulated by the New York DFS should carefully monitor these regulations and stay up to date with any newly-issued guidance.
135
Made with FlippingBook - Online Brochure Maker