New York State Cyber Compliance Regulations
Let’s face it. Regulatory compliance is not a fun topic, but it is a necessary one. With regulations ever-changing, and standards varying by sector, industry, and state–sometimes overlapping– it is a confusing and daunting subject for many businesses.
Compliance regulations are enacted to keep client, employee, and vendor information safe from cybercriminals who are finding new ways to access this sensitive data. Organizations must show that they have all the necessary protocols in place, or they can face harsh consequences.
Let’s take a look at the top three New York State regulations we are most often asked about.
NYS SHIELD Act
Requires companies to “implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of private information. In a broad overview, these “reasonable” cybersecurity measures include:
- Administrative safeguards – training and employee management
- Technical safeguards – network design assessment, failure detection
- Physical safeguards – intrusion prevention, risk management
If you fail to comply with the NYS SHIELD Act, you may be subject to legal penalties such as hefty fines, imprisonment, forfeiture of rights, or other penal sanctions.
NYDFS Cybersecurity Regulation 23 NYCRR 500
The financial service industry is a lucrative target for cybercriminals. The New York State Department of Financial Services (NYDFS) created the Cybersecurity Regulation (23 NYCRR 500) to protect financial service information systems and consumer data. Under this set of requirements, financial service organizations in NYS must develop and implement a robust and effective cybersecurity program. It requires businesses to assess their cyber risk and develop a plan that proactively addresses any discovered risks. These guidelines ensure that a comprehensive cybersecurity program and cybersecurity policies are in place. This includes:
- Installment of a detailed cybersecurity plan
- Designation of a Chief Information Security Officer (CISO)
- Enactment of a comprehensive cybersecurity policy
- Initiation and maintenance program
Failure to comply with NYDSF’s cybersecurity regulations subjects a company to legal action, such as heavy fines. However, the full extent of legal penalties has yet to be defined.
NYS Education Law 2-D
In the New York State Education Department’s (NYSED) attempt to harden data security and privacy, educational agencies and their Third-Party Contractors (TPC) are now required to perform a set of basic obligations to protect the security, confidentiality, and integrity of student PPI in its custody.
The notable new requirements involve:
- Ed. Law 2-d regulations apply not only to public school districts but to Charter schools and state-approved special education schools.
- The inclusion of the Parent’s Bill of Rights in every third-party contract that possesses student, teacher, and principal PII.
- Transparency about the third-party agreements relating to private data that they are a party to on their websites.
- Adoption of a policy and privacy plan that aligns with the NIST CFS framework.
For educational agencies, there are no civil penalties for a data breach or unauthorized release of a PII. However, when a TPC fails to comply with its specified regulations, it can face several civil penalties depending on the type of violation. Repeated violations result in more severe penalties. Such penalties include monetary fines, restricted access to the PII of the affected educational agency, or restricted access to PII from any educational agency in the state for a fixed period of up to five years.
How to Become Compliant with New York State Cyber Regulations
Complying with these regulations is a must, but the process does not have to be discouraging. To begin working on your compliance program, identify what type of data you work with and process. Then, look into what requirements may apply to your organization based on the type of data you hold. Also, as compliance requirements vary from state to state, look at the regulations in your state and those of the states you do business with.