New York State DFS Mandate and GDPR Mandate – What we can learn

Takeaways from NYS DFS and GDPR Mandates …

While we are referencing two specific mandates (one for NYS and one that is global), all states have their own regulations in place to protect data and require organizations to report data breaches.  This will continue to expand beyond the financial and medical industries and also across state and country borders.  Below are some baseline practices all businesses should begin implementing.

Here is a quick definition of the NYS DFS Mandate and the GDPR Mandate:

• New York’s Department of Financial Services (DFS) – called “23 NYCRR 500” is intended for financial organizations.
• General Data Protection Regulation (GDPR) – Regulation intended on strengthening and unifying data protection for all individuals within the EU.

Here is a list of key takeaways that these mandates enforce:

• Policies and Training – the easiest and least-costly action for any business is to institute a cybersecurity policy.  This would include rules and training for any employee on the following topics:
  • BYOD Policy – if bringing your own device to the workplace, policy for proper usage.
  • Password Policy – strength of passwords, change interval and historical retention.
  • Acceptable Use Policy – how the company data can be used and shared.
  • Remote Access Policy – requirements for users working from home.
  • Patch Management Policy – defines how software patches are installed and when
  • Security Awareness and Training – bringing in experts to train and inform staff on how to best do their jobs and protect company data.
• Having an Information Security Plan – just like a mini business plan, there should be an all-encompassing program defining how your organization will remain up-to-date on security.
• Technologies that will help:
  • Encryption – any device that has confidential data stored on it should be encrypted.  Email communication that contains any sensitive data should also be encrypted
  • Antivirus / AntiMalware – make sure you are not using Microsoft Security Essentials and Defender.  Put in place a managed solution with a portal showing statuses of all viruses and updates
  • Backup and Disaster Recovery Plan – have the difficult discussions about what happens if your key applications were to go down or worse, your equipment or facility.  Determine the Return to Operations timeline (RTO) to identify when you have to have these applications back online.
  • Vulnerability Scanning – software is available to scan your network and external connection for any known vulnerabilities.
  • Patch Management – there is software available that can update Microsoft Windows and other applications in a controlled manner with patches released for security.
• Multifactor Authentication – ensuring that logging into critical systems includes something you know and something you have.  This requires a username/password and additional proof with a key fob or text to cell phone.

Just like any major change, it is important to have a plan to continuously improve over time.  You could address training and policies first, implement Disaster Recovery (to recover if something does happen) and then slowly address each point over time.