Also helpful we believe are other standards of reasonableness in other state statutes.  Thus the new New York state regulation 23 NYCRR 500 which provides and broadly define a list of specific controls and actionable items that will meet the standard of reasonableness:

  • Risk Assessments: Conducted periodically and will be used to assess “confidentiality, integrity, security and availability of the IT infrastructure and PII. (Section 500.09)
  • Audit Trail:  Designed to record and respond to cybersecurity events. The records will have to be maintained for five years. (Section 500.06)
  • Limitations on Data Retention: Develop policies and procedures for the “secure disposal” of Personally Identifiable Information (PII) that is “no longer necessary for business operations or for other legitimate business purposes” (Section 500.13)
  • Access Privileges: Limit access privileges to PII and periodically review those privileges. (Section 500.07)
  • Incident Response Plan: Develop a written plan to document internal processes for responding to cybersecurity events, including communication plans, roles and responsibilities, and necessary remediations of controls as needed. (Section 500.16)

SHIELD

2.  REASONABLE  SECURITY  REQUIREMENT. (A) ANY PERSON OR BUSINESS THAT
OWNS OR LICENSES COMPUTERIZED DATA WHICH INCLUDES PRIVATE INFORMATION OF
A RESIDENT OF NEW YORK SHALL DEVELOP, IMPLEMENT AND MAINTAIN  REASONABLE
SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
PRIVATE INFORMATION INCLUDING, BUT NOT LIMITED TO, DISPOSAL OF DATA.
  (B)  A  PERSON  OR  BUSINESS  SHALL BE DEEMED TO BE IN COMPLIANCE WITH
PARAGRAPH (A) OF THIS SUBDIVISION IF IT EITHER:
  (I) IS A COMPLIANT REGULATED ENTITY AS DEFINED IN SUBDIVISION  ONE  OF
THIS SECTION; OR
  (II) IMPLEMENTS A DATA SECURITY PROGRAM THAT INCLUDES THE FOLLOWING:
  (A)  REASONABLE  ADMINISTRATIVE  SAFEGUARDS  SUCH AS THE FOLLOWING, IN
WHICH THE PERSON OR BUSINESS:
  (1) DESIGNATES ONE  OR  MORE  EMPLOYEES  TO  COORDINATE  THE  SECURITY
PROGRAM;
  (2) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS;
  (3)  ASSESSES  THE  SUFFICIENCY  OF SAFEGUARDS IN PLACE TO CONTROL THE
IDENTIFIED RISKS;
  (4) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES AND
PROCEDURES;
  (5) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE-
GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT; AND
  (6) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES  OR  NEW
CIRCUMSTANCES; AND
  (B)  REASONABLE  TECHNICAL  SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH
THE PERSON OR BUSINESS:
  (1) ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN;
  (2) ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION  AND  STOR-
AGE;
  (3) DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES; AND
  (4)  REGULARLY  TESTS  AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS,
SYSTEMS AND PROCEDURES; AND
  (C) REASONABLE PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE
PERSON OR BUSINESS:
  (1) ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL;
  (2) DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS;
  (3) PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFORMA-
TION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND  DESTRUCTION  OR
DISPOSAL OF THE INFORMATION; AND
  (4) DISPOSES OF PRIVATE INFORMATION WITHIN A REASONABLE AMOUNT OF TIME
AFTER IT IS NO LONGER NEEDED FOR BUSINESS PURPOSES BY ERASING ELECTRONIC
MEDIA SO THAT THE INFORMATION CANNOT BE READ OR RECONSTRUCTED.

t.