Also helpful we believe are other standards of reasonableness in other state statutes. Thus the new New York state regulation 23 NYCRR 500 which provides and broadly define a list of specific controls and actionable items that will meet the standard of reasonableness:
- Risk Assessments: Conducted periodically and will be used to assess “confidentiality, integrity, security and availability of the IT infrastructure and PII. (Section 500.09)
- Audit Trail: Designed to record and respond to cybersecurity events. The records will have to be maintained for five years. (Section 500.06)
- Limitations on Data Retention: Develop policies and procedures for the “secure disposal” of Personally Identifiable Information (PII) that is “no longer necessary for business operations or for other legitimate business purposes” (Section 500.13)
- Access Privileges: Limit access privileges to PII and periodically review those privileges. (Section 500.07)
- Incident Response Plan: Develop a written plan to document internal processes for responding to cybersecurity events, including communication plans, roles and responsibilities, and necessary remediations of controls as needed. (Section 500.16)
2. REASONABLE SECURITY REQUIREMENT. (A) ANY PERSON OR BUSINESS THAT OWNS OR LICENSES COMPUTERIZED DATA WHICH INCLUDES PRIVATE INFORMATION OF A RESIDENT OF NEW YORK SHALL DEVELOP, IMPLEMENT AND MAINTAIN REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE PRIVATE INFORMATION INCLUDING, BUT NOT LIMITED TO, DISPOSAL OF DATA. (B) A PERSON OR BUSINESS SHALL BE DEEMED TO BE IN COMPLIANCE WITH PARAGRAPH (A) OF THIS SUBDIVISION IF IT EITHER: (I) IS A COMPLIANT REGULATED ENTITY AS DEFINED IN SUBDIVISION ONE OF THIS SECTION; OR (II) IMPLEMENTS A DATA SECURITY PROGRAM THAT INCLUDES THE FOLLOWING: (A) REASONABLE ADMINISTRATIVE SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR BUSINESS: (1) DESIGNATES ONE OR MORE EMPLOYEES TO COORDINATE THE SECURITY PROGRAM; (2) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS; (3) ASSESSES THE SUFFICIENCY OF SAFEGUARDS IN PLACE TO CONTROL THE IDENTIFIED RISKS; (4) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES AND PROCEDURES; (5) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE- GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT; AND (6) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES OR NEW CIRCUMSTANCES; AND (B) REASONABLE TECHNICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR BUSINESS: (1) ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN; (2) ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION AND STOR- AGE; (3) DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES; AND (4) REGULARLY TESTS AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS, SYSTEMS AND PROCEDURES; AND (C) REASONABLE PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR BUSINESS: (1) ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL; (2) DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS; (3) PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFORMA- TION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND DESTRUCTION OR DISPOSAL OF THE INFORMATION; AND (4) DISPOSES OF PRIVATE INFORMATION WITHIN A REASONABLE AMOUNT OF TIME AFTER IT IS NO LONGER NEEDED FOR BUSINESS PURPOSES BY ERASING ELECTRONIC MEDIA SO THAT THE INFORMATION CANNOT BE READ OR RECONSTRUCTED.