By Paul Lanois, SSCP, CIPP, CIPT, CIPM and Eric Tieling, CISSP, CIPP/E
The landscape of privacy and related legislation in the United States continues to get more interesting. Despite the California Consumer Privacy Act (CCPA) being the talk of the town for privacy and security professionals, New York also put something noteworthy in place, called the “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, in short. Not only is it relatively prescriptive, but it also encompasses cybersecurity obligations that are particularly relevant for security professionals.
The SHIELD Act of New York was signed into law in July and becomes effective on March 21, 2020. It requires businesses that own or license New York residents’ private information to implement and maintain a data security program by requiring data security controls and data breach notification procedures.
Let’s start with a look at what’s needed for addressing the data security program requirements of the SHIELD Act. In general, businesses must put reasonable administrative safeguards in place, starting with the designation of at least one employee as coordinator of the security program, which could correspond to the role of an Information Security officer.
"Reasonably foreseeable risks," both internal and external, must be assessed, and safeguards have to put in place to be in control of the identified risks. Security training and educating employees regarding the security program practices and procedures is mandatory now as well. And, in case of business changes or new circumstances, the security program needs to be adapted.
The next pillar of the SHIELD Act deals with technical safeguards. Called out here are measures for assessing risks in network and softwa ..
Support the originator by clicking the read the rest link below.
