With new standards, recommended tools, and expert advice surfacing constantly, cybersecurity can feel like a big ask on top of running a business. Unfortunately, cyber threats are here to stay. Since cyber criminals will go after the weakest businesses first, leaders must step up their game to a competent level.
If you have a business in New York State, you might've heard about a few NY businesses that have suffered breaches in recent years. Now, officials are cracking down on breaches due to negligent or weak cybersecurity protections.
To give you an overview of what to know as a New York business owner to protect your livelihood and remain compliant, here are the things to know about cybersecurity in NYS.
The Basics of New York State Cyber Security Requirements
In the United States, there are currently 19 states with data privacy laws in effect. Most of the rest, including New York, either don't have any active bills in the works or are in the process of reviewing them.
Yet, there are still data security standards and practices you must adhere to. If you don't take cybersecurity seriously, you could face hundreds of thousands-- or even millions -- in fines from the state. That doesn't even include the lost business from reputational damage or class action lawsuits.
To read more about the complications cyber breaches can lead to, read our blog: Can My Business Get Sued for a Cybersecurity Breach?
Recent Events Setting the Stage for Zero-Tolerance
New York State Attorney General Letitia James has fined multiple businesses after massive cyber attacks led to data breaches. In 2023, James fined a home healthcare company $350,000 after a large breach.
More recently in late October 2024, another healthcare provider based out of the Capital Region was hit by a $500,000 fine for a breach exposing records of over 200,000 patients. The fine came after Albany ENT & Allergy Services suffered multiple ransomware attacks from two different cybercriminal groups in 2023.
Although they disclosed that the breach exposed social security numbers of over 120,000 New Yorkers, they failed to disclose the exposure of 80,000 driver's licenses. Other patient records hackers had access to included names, addresses, medications, diagnoses, conditions, lab results, and treatment information.
It was also found that AENT continued to store unprotected sensitive data on storage devices for months following the two ransomware attacks. An agreement was reached in late October that the provider would invest over $2 million into an information security program and pay half a million dollars in fines.
The New York State Shield Act and How it Affects You
You may be familiar with the NY Shield Act, a law designed to expand upon the Information Security Breach and Notification Act signed in 2005.
The New York Shield Act was signed in 2019 and applies to almost all New York businesses. It stands for Stop Hacks and Improve Electronic Data Security Act, and expanded on NYS cyber security policies such as:
- Types of private information that companies must disclose to consumers in the event of a breach
- Expansion of the definition of a security breach to any "access to computerized data that compromises the confidentiality, security, or integrity of private data" per the Office of the Attorney General's website.
- Requirements for the development and implementation of reasonable cybersecurity safeguards for private information
NY Cybersecurity Safeguards Requirements
You may wonder what the attorney general refers to with the term "reasonable safeguards". This refers to several best practices that help protect sensitive data. These include implementing or creating a process for things like:
- Coordinating cybersecurity programs
- Identifying both internal and external cybersecurity risks
- Evaluating the protections currently in place
- Employee training and management of policies & procedures
- Selecting reputable outsourced companies capable of maintaining safeguards under contract
Safeguards are split into two camps: technical and physical. Technical safeguards might include network security risk assessments, threat detection technology or procedures, penetration testing, and network monitoring.
Physical security involves limiting access to locations where sensitive data is stored and preventing improper collection, transportation, destruction, or disposal of data. To learn more about proper ways to handle data, read our blog: Data Protection vs Data Security
Notification Requirements in New York State
If you're creating an incident response plan, you should include a timeline to report any breaches in cyber security to New York State. Not only do you need to report breaches within a reasonable amount of time, you must take steps to properly notify all affected parties.
This must include an email notice, a "conspicuous notice" on your company's website, and notification to statewide media about the breach.
Industry-Specific Regulations
In addition to New York State requirements that pertain to all industries, certain types of businesses are on the hook for industry-specific regulations. One particularly vulnerable sector is finance. Some regulations financial businesses must follow include:
- NYS Department of Financial Services Cybersecurity Regulations
- FTC Safeguards Rule
- Gramm-Leech-Bliley
To read more about financial sector cybersecurity requirements, check out our blog: Is Your Financial Business Vulnerable to a Cyber Attack?
Another hot industry for cyber attacks is healthcare. These businesses are especially at risk due to the highly protected data they store and manage. Hackers know how valuable protecting this data is, so they target these businesses ruthlessly.
To read about the unique risks of cyber attacks against healthcare businesses, read our blog: Is Cybersecurity Really That Big of a Deal In Healthcare? Risks of Healthcare Data Breaches
Steps You Can Take Today to Practice Proactive Cybersecurity
If you feel like you're treading water with cybersecurity, luckily there are many cost-effective resources for business IT services. Before you find and sign on with a managed IT service, it's wise to get a network assessment to determine where you currently stand.
Network assessments will evaluate any vulnerabilities in your IT environment such as:
- Unpatched or outdated software
- Stray user accounts
- Open ports
- Weak or old passwords
- Insufficient network monitoring
- Unsecured backups
If you're not ready to invest in a network audit from a business IT support provider, some steps you can take to strengthen your security today include:
- Implementing multifactor authentication (MFA)
- Frequent password resets requiring strong passwords
- Cybersecurity training for online safety and ransomware/phishing awareness
- Evaluating and strengthening data backups
To learn other cybersecurity best practices, read our blog: Ask the Expert: 7 Cybersecurity Essentials To Check Off
To see how this applied to your upstate New York business, click the button below to speak with an expert about how IT support for small businesses can be a game-changer.
