Privacy Laws and Compliance
I’m starting to notice a lot of Small Businesses are unaware of this new law in effect:
In March 2020, the New York Shield Act went in effect.
If you’re not familiar, it makes any business sending sensitive information to a NY resident protect it or could they face a fine up to $250,000. The NY Shield act also defines user names and passwords as sensitive information.
MSPs are using our Bracket encryption to help protect against this.
By the way, there are 22 other states with consumer data protection laws.
Yes they all want to call it their own thing and throw some different words around but in reality they are all just aiming to protect consumer information and rights to include the right to remove personal information from a companies databases.
While it may be confusing at first glance there is an easy to get it all sorted out, and most if it already is. I was on a call the other day where one of the speakers, Mike Semel, really eluded to the fact that most are already using the NIST CSF as a basis. This includes HIPAA.
But as you can well imagine, with 22 states already implementing consumer protection laws the rest will undoubtedly jump on the bandwagon. Please don’t get me wrong, I believe that the US should have a sweeping and all inclusive set of imposed guidelines much like the EU has adopted. I also feel that the NIST CSF is the way to go. It is already written and if all states abide by it strictly then it would be much easier to implement. As it stands, if you do business in the 22 states that have adopted a consumer protection law then you potentially need to comply with 22 different laws, some of which may contradict another. Hopefully the states will see the flaw in their thinking that they each need their own law rather than adopting a single one. One that is also accepted in Canada such as NIST CSF. I mean really, HIPAA GLBA and PCI-DSS are all National compliance standards. Why can’t they just use NIST CSF rather thank making it next to impossible for anyone to do business in another state. The EU did it why can’t we.
I feel, as does Mike Semel – from the call – that you can’t go wrong with NIST CSF and when you do you are already compliant with many others including HIPAA. (HIPAA does have one additional requirement but that is an easy fix). To be honest if you were brought to court and had documented proof that you are and have been implementing NISF CSF I think a court would have a hard time finding you negligent as it is the framework written by and implemented by the US Government.