Can I skip having an information security program in place in New York? What are the requirements?

Information Security Program Requirements in New York

In New York, all businesses that collect private information from New York residents are required to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that information ^[4]. These safeguards must be designed to prevent unauthorized access, use, disclosure, destruction, or modification of the information ^[4].

The New York State Department of Financial Services (NYDFS) has also established cybersecurity regulations that apply to financial institutions operating in New York ^[1]. These regulations require covered entities to establish and maintain a cybersecurity program that is designed to protect the confidentiality, integrity, and availability of the entity’s information systems and nonpublic information ^[1]. The program must be based on a risk assessment and must include policies and procedures for access controls, data encryption, incident response, and third-party service provider management, among other things ^[1].

Conclusion

In summary, businesses in New York are required to implement and maintain reasonable safeguards to protect the security of private information collected from New York residents. Financial institutions operating in New York are also required to establish and maintain a cybersecurity program that is designed to protect their information systems and nonpublic information. Therefore, it is not possible to skip having an information security program in place in New York.

Source(s):

• [1] Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements
• [4] Protecting Personal Information: A Guide for Business | Federal …

Jurisdiction

New York

• Privacy