M.A. Polce Consulting

M.A. Polce Insights

Regulatory Compliance
Author: Bea Ewing
Date: January 3, 2022
Cybersecurity Regulatory Compliance

Let’s face it. Regulatory compliance is not a fun topic, but it is a necessary one. With regulations ever-changing, standards varying by sector, industry, and state–sometimes overlapping– it is a confusing and daunting subject for many businesses.  

Compliance regulations are enacted to keep client, employee, and vendor information safe from cybercriminals who are finding new ways to access this sensitive data. Organizations must show that they have all the necessary protocols in place, or they can face harsh consequences.  

Let’s take a look at the top three New York State regulations we are most often asked about.  

  • 23 NYCRR Part 500
  • NYS Education Law 2-D


Requires companies to “implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of private information. In a broad overview, these “reasonable” cybersecurity measures include: 

  • Administrative safeguards – training and employee management
  • Technical safeguards – network design assessment, failure detection
  • Physical safeguards – intrusion prevention, risk management

If you fail to comply with the NYS SHIELD Act, you may be subject to legal penalties such as hefty fines, imprisonment, forfeiture of rights, or other penal sanctions. 

NYDFS Cybersecurity Regulation 23 NYCRR 500  

The financial service industry is a lucrative target for cybercriminals. The New York State Department of Financial Services (NYDFS) created the Cybersecurity Regulation (23 NYCRR 500) to protect financial service information systems and consumer data. Under this set of requirements, financial service organizations in NYS must develop and implement a robust and effective cybersecurity program. It requires businesses to assess their cyber-risk and develop a plan that proactively addresses any discovered risks. These guidelines ensure that a comprehensive cybersecurity program and cybersecurity policies are in place. This includes: 

  • Installment of a detailed cybersecurity plan
  • Designation of a Chief Information Security Officer (CISO)
  • Enactment of a comprehensive cybersecurity policy
  • Initiation and maintenance program

Failure to comply withNYDSF’s cybersecurity regulations subjects a company to legal action, such as heavy fines. However, the full extent of legal penalties has yet to be defined. 

NYS Education Law 2-D  

In the New York State Education Department’s (NYSED) attempt to harden data security and privacy, educational agencies, and their Third-Party Contractors (TPC) are now required to perform a set of basic obligations to protect the security, confidentiality, and integrity of student PPI in its custody.  

The notable new requirements involve:  

  • Ed. Law 2-d regulations apply not only to public school districts but to Charter schools and state-approved special education schools. 
  • The inclusion of the Parent’s Bill of Rights in every third-party contract that possesses student, teacher, and principal PII. 
  • Transparency about the third-party agreements relating to private data that they are a party to on their websites. 
  • Adoption of a policy and privacy plan that aligns with the NIST CFS framework. 

For educational agencies, there are no civil penalties for a data breach or unauthorized release of a PII. However, when a TPC fails to comply with its specified regulations, it can face several civil penalties depending on the type of violation. Repeated violations result in more severe penalties. Such penalties include monetary fines, restricted access to PII of the affected educational agency, or restricted access to PII from any educational agency in the state for a fixed period of up to five years.  

Complying with these regulations is a must, but the process does not have to be discouraging. To begin working on your compliance program, identify what type of data you work with and process. Then, look into what requirements may apply to your organization based on the type of data you hold. Also, as compliance requirements vary from state to state, look at the regulations in your state and those of the states you do business with.  

If you need additional help, reach out to a company that handles regulatory compliance like M.A. Polce to help guide you through the process.  


Company Insights

We Strive To Be The Best

The M.A. Polce Difference:

24/7/365 Operations & Support

Superior Customer Service

30+ Experienced Engineers

SOC 2 &
NIST Compliance

Rapid Incident Response

You are now leaving MA Polce Consulting

MA Polce Consulting provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by MA Polce Consulting, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL