Page 36 - The IT Guidebook
P. 36
CYBERSECURITY - As a starting point, it is important to Administrative guidance elaborates on
understand that what constitutes appropriate
each of these laws by laying out certain
LEGAL EXPERT ANALYSIS security safeguards may depend upon the cybersecurity safeguards that should be
put in place, including but not limited to:
type of information that you collect and the
type of business that you operate. For access controls, monitoring solutions, and
NAVIGATING THE AMBIGUOUS REQUIREMENT OF ‘REASONABLE SECURITY’ example, if you are a medical professional, disaster recovery procedures. Further,
MEASURES WHILE PROTECTING PERSONAL INFORMATION. or holding information for a medical under both HIPAA and GLBA, if any of the
professional, you may be subject to the regulated entity’s vendors receive protected
HIPAA Security Rule (HIPAA) (which information from that regulated entity,
ver the last couple of years,
O cybersecurity laws have commonly lists specific safeguards for the protection then the regulated entity is required to
of electronic health information), and if
contractually bind that vendor in writing to
required that sensitive information you are a financial institution, or holding treat the protected information in the same
be protected through the use of “reasonable information for a financial institution, you manner as the regulated entity.
security.” Business owners have likely may need to comply with the Gramm-
heard that they are required to protect Leach-Bliley Act (GLBA) (which identifies In addition to laws and regulations that
sensitive information, but may not specific requirements and safeguards for require entities to implement appropriate
understand how to specifically go about the protection of customer information). safeguards, attorneys’ ethical requirements
this. The term “reasonable security” often provide guidance on determining what
has been left ambiguous and guidance as to constitutes reasonable security and
what is required for your specific business read in the requirements to implement
might be hard to find. specific cybersecurity safeguards. Even if,
however, you are not subject to the laws
and regulations referenced above, if you
collect private information from a New
York state resident, you are still required
to implement reasonable security. As of
March 21, 2020, the New York “Stop
Hacks and Improve Electronic Data
Security Act” (SHIELD Act) specifically
requires that any person or business that
collects private information of a New York
resident must develop, implement and
maintain reasonable safeguards to protect
the security, confidentiality and integrity of
the private information, including but not
limited to, disposal of the data.
CONTINUED ON NEXT PAGE
35 36
