An updated cybersecurity law that the IT organization (along with other college/university departments) will need to continue to integrate into its compliance programs, policies, and controls is the recent changes to New York’s General Business Law 899-aa and 899-bb (aka SHIELD Act). The compliance actions supporting this law have already passed (compliance was required by March 2020), and as such, our observations and recommendations have noted areas that would be applicable to this law based on our understanding of its applicability; however, we recommend that College/University seeks out a legal opinion regarding compliance requirements for this law and then adjust the needed controls to comply with the law.
Additionally, we wanted to bring the following to Management’s attention, as compliance with the Gramm-Leach Bliley Act Safeguards Rule is likely required for the College/University. The Federal Trade Commission (FTC) has proposed several changes to the existing Gramm-Leach Bliley Act (GLBA). They include items such as the following:
- FTC is proposing to amend its regulations implementing the GLBA to add specific data security requirements including encryption, access, and authentication.
- The proposed changes are generally consistent with the NYDFS cybersecurity regulations and the NAIC model law for insurance data security.
- Other federal regulatory activity would be expected with the enhanced focus on operational resiliency, recent customer data sharing and breach news, as well as both increasing state privacy activity, the California Privacy Protection Act (CCPA), the EU’s General Data Protection Regulation (GDPR), and others.
The sample items below from the proposed update are specific to the Safeguards Rule, which applies to the College/University. These compliance items, if approved, mirror current S/B College/University compliance actions in multiple areas, but not everywhere. They would require College/University to:
- Designate a single qualified individual to serve as the Chief Information Security Officer (CISO).
- Conduct at least annual information security risk assessments.
- Design and implement elements within the information security program, including:
- Access controls to authenticate users of information systems.
- Access controls to restrict access to customer information in physical locations (i.e., areas, papers, devices).
- Inventories of data, personnel, devices, systems, and facilities.
- Encryption of all customer information in transit and at rest.
- Secure development practices for applications developed in-house and used for transmitting, accessing, or storing information.
- Multi-factor authentication for any individual accessing customer information or internal networks that contain customer information.
- Audit trails to detect and respond to “security events”.
- Secure disposal procedures for customer information that is no longer necessary for “business operations or other legitimate business purpose”.
- Change management procedures for additions, deletions, or modifications to the information systems.
- Monitoring for authorized user activity and unauthorized access, use, or tampering of customer information.
- Providing employee “security awareness training”.
- Periodic (annual) risk-based assessments of service providers.
- An Incident response plan (notably, the proposed amendments do not include a requirement for financial institutions to notify the FTC of any security event).
- Reporting by the CISO, at least annually, to the Board or equivalent.
How this will ultimately affect College/University is unclear; however, we would suggest that those GLBA changes be monitored by College/University’s Privacy and Security Officers.
For additional cybersecurity information, please reach out to our experts at FoxPointe Solutions today!
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.