Can I avoid having a data breach response plan in New York? What are the requirements?

Data Breach Response Plan Requirements in New York

As per the New York State law, any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data ^[3.1].

Furthermore, each covered entity shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity’s information systems or the continuing functionality of any aspect of the covered entity’s business or operations ^[1.1].

Therefore, it is mandatory for businesses to have a data breach response plan in New York. The incident response plan should address the internal processes for responding to a cybersecurity event, the goals of the incident response plan, the definition of clear roles, responsibilities and levels of decision-making authority, external and internal communications and information sharing, identification of requirements for the remediation of any identified weaknesses in information systems and associated controls, documentation and reporting regarding cybersecurity events and related incident response activities, and the evaluation and revision as necessary of the incident response plan following a cybersecurity event ^[1.1].

In summary, businesses cannot avoid having a data breach response plan in New York. They must develop, implement, and maintain reasonable safeguards to protect private information and establish a written incident response plan to promptly respond to and recover from any cybersecurity event.

Additionally, in the event of a breach of the security of the system or a breach of network security, the office shall notify the chief information officer, the chief information security officer, and where appropriate, the cyber security coordinator of any state entity with which it shares data, provides networked services or shares a network connection whose data, services or connection is reasonably suspected to be affected by any such breach ^[2.1]. Any state entity that owns or licenses computerized data that includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization ^[2.2].

Therefore, it is crucial for businesses to have a data breach response plan in place to ensure prompt notification and remediation of any breach of the security of the system or a breach of network security.

Source(s):

• [1.1] Incident response plan.
• [2.1] Notification of a breach of the security of the system or a breach of network security; shared data
• [3.1] Data security protections
• [2.2] Notification; person without valid authorization has acquired private information

Jurisdiction

New York

• Privacy