Page 37 - The IT Guidebook
P. 37

CYBERSECURITY -   As a starting  point,  it  is important  to   Administrative  guidance  elaborates  on
        understand that what constitutes appropriate
                                          each  of  these  laws  by  laying  out  certain
 LEGAL EXPERT ANALYSIS  security  safeguards  may  depend  upon  the   cybersecurity  safeguards  that  should  be
                                          put in place, including but not limited to:
        type of information that you collect and the
        type  of  business  that  you  operate.  For   access controls, monitoring solutions, and
 NAVIGATING THE AMBIGUOUS REQUIREMENT OF  ‘REASONABLE  SECURITY’   example, if you are a medical professional,   disaster  recovery  procedures.  Further,
 MEASURES WHILE PROTECTING PERSONAL INFORMATION.  or  holding  information  for  a  medical   under both HIPAA and GLBA, if any of the
        professional,  you  may  be  subject  to  the   regulated entity’s vendors receive protected
        HIPAA  Security  Rule  (HIPAA) (which   information  from  that  regulated  entity,
 ver  the  last  couple  of  years,
 O  cybersecurity laws have commonly   lists specific safeguards for the protection   then the regulated entity is required to
        of  electronic  health  information),  and  if
                                          contractually bind that vendor in writing to
 required  that  sensitive  information   you  are  a  financial  institution,  or  holding   treat the protected information in the same
 be protected through the use of “reasonable   information for a financial institution, you   manner as the regulated entity.
 security.”  Business  owners  have  likely   may  need  to  comply  with  the  Gramm-
 heard that they are required to protect   Leach-Bliley Act (GLBA) (which identifies   In  addition  to  laws  and  regulations  that
 sensitive  information,  but  may  not   specific  requirements  and  safeguards  for   require  entities  to implement  appropriate
 understand  how  to  specifically  go  about   the protection of customer information).  safeguards, attorneys’ ethical requirements
 this. The term “reasonable security” often   provide  guidance  on  determining  what
 has been left ambiguous and guidance as to   constitutes  reasonable  security  and
 what is required for your specific business   read  in  the  requirements  to  implement
 might be hard to find.                   specific cybersecurity safeguards. Even if,
                                          however,  you  are  not  subject  to  the  laws
                                          and  regulations  referenced  above,  if  you
                                          collect  private  information  from  a  New
                                          York state resident, you are still required
                                          to  implement  reasonable  security.  As  of
                                          March  21,  2020,  the  New  York  “Stop
                                          Hacks  and  Improve  Electronic  Data
                                          Security Act” (SHIELD Act) specifically
                                          requires that any person or business that
                                          collects private information of a New York
                                          resident must develop, implement and
                                          maintain  reasonable  safeguards  to  protect
                                          the security, confidentiality and integrity of
                                          the private information, including but not
                                          limited to, disposal of the data.



                                                      CONTINUED ON NEXT PAGE
















 35                                                                        36
   32   33   34   35   36   37   38   39   40   41   42