We are all aware of federal compliance regulations when it comes to the privacy and security of our information. For example, you’d be hard pressed to find someone who hasn’t heard of HIPAA. Yet are you aware that regulations have been put in place at the state level that have the same goal – to protect our security and privacy?
This month (March 2019), the state of New York reached the end date for the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) regulations. These required third-party service providers to meet certain requirements that address their data security and compliance. A two-year time frame was provided to allow those banking, insurance, and other institutions that fell under the Covered Entities title to reach that compliance measure. The window to meet the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) was established with a generous frame due to the complexity of the process, so anyone not meeting that deadline will be a target for enforcement.
Written policies and procedures take time and finding qualified people to first learn your business and establish your compliance is not something you can take on lightly. The NYDFS required identification, risk assessment, establishing minimum cybersecurity practices that include encryption, controlled access, contractual protection, and finally due diligence processes to evaluate cybersecurity practices of third-party vendors.
As of today, 50 states have varying legislatures enacted that outline data breach notification laws. Do you know what your legal requirements are if you are hacked? What if you work with clientele across state lines? All very important questions. It is always wise to go with the guideline that is more stringent. When it comes to cybersecurity and privacy there is no limit to how strong your line of defense should be.
Having a plan in place to prevent and remediate damage is key, but you also need to ensure that you are covering all of the legalities in your process.