Cyber Security Resources Page – Compliance - Cloud 9

Compliance Around Technology Use in Your Organization

An overview of laws businesses and organizations need to be in compliance with in regards to cyber security in NY, NJ and CT.

Laws applicable to most businesses in the US (NY, NJ, CT):

PCI DSS Compliance

The Payment Card Industry Security Council’s Data Security Standard (PCI DSS) is set and maintained by the major global credit card companies. These security standards are designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

This is not a federally regulated standard.

Through completing a questionnaire merchants can determine whether or not they are in compliance. For more information, please visit https://www.pcisecuritystandards.org/standards/

Consumer Data Compliance

Since 2018, all 50 US states have enacted breach notification laws which require organizations to notify state government about any security breaches that may have compromised consumer data. These data laws apply to all organizations that use or store sensitive customer data such as credit card or bank account numbers, social security numbers and driver’s license numbers.

Common provisions include:

Requirement to notify affected state residents within reasonable time frames,
Notification to state attorney general and/or consumer reporting agency.

In addition, The Federal Trade Commission (FTC) can also penalize organizations who fail to protect consumer information adequately.

1) The applicable law in New York State is the Security Breach and Notification Act. For more information, see https://dos.ny.gov/data-security-breach-management

2) In New Jersey, as a result of the New Jersey Identity Theft Prevention Act, business executives are asked to fill out the State of New Jersey Data Breach Report on this website: https://www.cyber.nj.gov/breach/

3) In Connecticut, pursuant to regulation § 36a-701b, in case a breach occurs business need to report such incident through this website: https://portal.ct.gov/AG/Sections/Privacy/Reporting-a-Data-Breach

Electronic Communications Privacy Act (1986)

The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.

The ECPA is mostly concerned with the unauthorized access by employees or external parties trying to access sensitive or valuable data. One of it’s implications however is that one may not record a conversation without another party’s knowledge. A notable exemption to ECPA are video recordings without an audio recording component.

Kari’s Law (2018)

This law was enacted to ensure that anyone can reach a 911 call center when dialing 9-1-1 from a Multiline telephone systems. MLTS are are typically found in large office buildings, campuses, and hotels. If your organization still has a legacy PBX system or analog system on premises, please verify with your PBX vendor you are in compliance or upgrade to a UCaaS platform offered by any of the major providers in the US.

For more information, please visit https://www.911.gov/issues/legislation-and-policy/kari-s-law-and-ray-baum-s-act/

RAY BAUM’S Act (2019)

Emphasizes the importance of making the actual, physical and dispatachble location from all 911 calls available first responders. This must include street address, building, floor and room number along with a valid call back number.

This means that the address change feature on all Multiline telephone systems, VoIP, UCaaS systems and Relay Services need to be easily accessed and updated. To stay in compliance, please ensure your Certified Cloud Partner maintains and updates all address for you or one of your staff members has been designated to complete this task in-house.

Public Act No. 21-119 in the State of Connecticut (2021)

This act was created to incentivize the adoption of cybersecurity standards for businesses in this state. It provides a layer of protection to businesses against lawsuits brought against them seeking punitive damages for data breaches. This safe harbor statute only applies to businesses that “created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information” however. In order to be in compliance, business must work with guidelines listed in frameworks put forth by The National Institute of Standards and Technology, FedRAMP Security Assessment Framework or the The Center for Internet Security.

SHIELD Act (2019) in NY State

This act amends the existing Information Security Breach and Notification Act (2005).

Under the 2005 law, a security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of private information. In addition under this 2005 law, private information was any personal information concerning a natural person in combination with any one or more of the following data elements: social security number, driver’s license number, account number, or credit or debit card number in combination with any required security code.

Under The SHIELD Act the definition of a security breach has been expanded to any access to computerized data that compromises the confidentiality, security, or integrity of private data. Under the SHIELD act the definition of private information is expanded to include biometric information, and username/email address and password credentials.

More over, the SHIELD Act requires any person or business that maintains private information to adopt administrative, technical and physical safeguards. This includes for example:

Assessing internal and external risks and implementing controls to reduce those risks.
Vetting service providers and binding them contractually to safeguard private information.
Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.
Designating an employee or employees to coordinate the data security program.
Training and managing employees in the security program practices and procedures.

For more information, please see this document: https://ag.ny.gov/internet/data-breach

Telephone Consumer Protection Act (1991)

The TCPA applies to telemarketing activities. It contains various regulations, among which the stipulation that solicitors need to honor the National Do Not Call Registry and to maintain do not call list in house. What matters for businesses mostly is the prohibition of solicitations to residences that use an artificial voice or a recording.

Regulations By Industry:

Financial Industry
(NY, NJ, CT):

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (2022):

Requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).

Gramm-Leach-Bliley Act (1999):

This Act requires companies which offer consumers financial products or services to safeguard sensitive data and to explain their information-sharing practices to their customers. The financial organization is required to protect their systems and their customers’ information.

For more information, see: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

The New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) (2017):

The individuals and entities required to comply with Financial Services Cybersecurity Regulation include those who are operating under the Banking Law, the Insurance Law, or the Financial Services Law.

Each company should implement a cybersecurity program that is proportionate to its resources and risk. But regardless of a company’s size or complexity,

The regulation requires every DFS-regulated company to implement controls outlined in Guidance provided. This includes for example:

1: Email Filtering and Anti-Phishing Training of staff.

2: Vulnerability/Patch Management program.

3: Implementation of Multi-Factor Authentication (“MFA”).

4: Disable RDP Access from the internet wherever possible.

5: Advanced Password Management.

6: Implementation of the principle of least privileged access. This means each user or service account should be given the minimum level of access necessary to perform the job.

7: Regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity.

8: Tested and Segregated Backups to mitigate ransomware attacks.

9: Having an Incident Response Plan in place should a cyber attack occur.

For details please see this document: https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf

For details, please see this website: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210630_ransomware_guidance

Legal Industry
(NY, NJ, CT):

Beginning January 2, 2023, all attorneys in New York are obligated to take continuing legal education courses on cybersecurity topics as a condition of practicing law in New York. They must complete at least one credit hour on cybersecurity, privacy and data protection as part of their biennial continuing legal education requirement. This new continuing legal education requirement, the first in the nation, was ordered by the New York Supreme Court, Appellate Division, the regulating body of the legal profession in New York state.

In addition, for example, as part of this requirement, the following obligations are in place:

Lawyer’s Ethical Obligations:

1) A lawyer must take reasonable care to affirmatively protect client confidential information (NYSBA Committee on Professional Ethics),

2) Lawyers have the professional responsibility to safeguard and secure clients’ electronic data and communication

3) In case of a data breach or cyber attack, NY based lawyers have the ethical obligation to disclose to clients they were subject to a breach as well as to court, opposing counsel and third parties.

For details, please see https://nysba.org/new-york-state-bar-association-recommends-cybersecurity-requirement-include-cle/

Healthcare and Wellness Sector
(NY, NJ, CT):

Health Insurance Portability and Accountability Act (HIPAA) (1996)

This federal legislation requires providers of health care (including mental health care) to ensure the privacy of patient records and health information. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.

Recommended Cyber Security Frameworks:

Applicable to most
businesses in the
US (NY, NJ, CT)

A cybersecurity framework is a collection of best practices that an organization should follow to manage its cybersecurity risk. With a framework in place it becomes much easier to define the processes and procedures that your organization must take to assess, monitor, and mitigate cybersecurity risk. Well known and trusted frameworks are:

ISO 27001 and ISO 27002:

Both international standard that describe best practice for information security management systems. With an ISO certification, companies can demonstrate to the board, customers, partners, and shareholders that they are doing the right things to manage cyber risk.

NIST Cyber Security Framework:

The NIST Cybersecurity Framework, designed by the National Institute of Standards and Technology, is designed for individual businesses and other organizations to assess risks they face. The framework is divided into three parts, “Core”, “Profile” and “Tiers”. The “Framework Core” contains an array of activities, outcomes and references about aspects and approaches to cybersecurity. For details, please visit: https://www.nist.gov/cyberframework

SOC2:

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

Other resources:

The FCC has made available useful documentation around best practices for small businesses. Please visit the site here: https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses

Further resources:

Subscribe to our newsletter

Want to learn more?

GET IN TOUCH

Let's Ignite Your Digital
Transformation

Let’s rapidly identify core needs and discuss how a specific set of Cloud-Based Technologies can move your organization forward. A 15 minute initial conversation tends to suffice. Contact us and a Cloud Consultant will reach out to you to set up a short meeting.

Providers: Please note that Firstlight Cloud Xchange

only works through Distributors and Master Agencies.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.