Compliance

NYCRR PART 500

Avoid NYCRR Infractions

23 NYCRR 500 issues uniformed guidelines on a number of measures to undertake for enhanced data protection.

HIPAA

Health Insurance Portability and Accountability Act of 1996

HIPAA (Health Insurance Portability and Accountability Act of 1996), in its simplest form, is a set of rules for any person.

 

SOX 404

Avoid SOX 404 Infractions

A wonderful serenity has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart.

ABA Opinion 483

Protect Your Client Data

Law firms are not immune to the unprecedented rise in cyberattack and data breach incidents worldwide.

CMMC

Continuous surge in Information Theft is a cause for concern for all sect

Continuous surge in Information Theft is a cause for concern for all sect of the digital world, whether it is corporate.

 

The New York SHIELD Act

New York’s SHIELD act to come into force on March 21, 2020.

New York’s SHIELD act to come into force on March 21, 2020. As more and more states take it upon themselves to create laws that protect consumers by issuing more rigid compliance regulations.

23 NYCRR PART 500

In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. This new regulation lays-out reporting requirements in the event of a data-breach and limitations regarding retaining data.

23 NYCRR PART 500

What is the NYCRR Cybersecurity Regulation?

Cyber criminals have been hyper-active over the last few years in targeting multiple different industries with malware, ransomware, phishing, and other cyberattacks. The financial institutions across the globe have been badly affected by the surge in such attacks. New York has been at the epicenter of many such cyberattacks which has results in huge financial losses, severe damage in reputation, and in some cases even bankruptcy. In response to this ever-growing cybersecurity threat environment, the NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) to standardize security measures across covered entities. The objective is to have proper security policies and procedures in place to better protect client data against breach and to encourage higher standards security across the board.

NYDFS – 23 NYCRR 500

Appoint Chief Information Security Officer (CISO)
Establish a cybersecurity program
Implement and maintain a written cybersecurity policy
Annual penetration tests and Bi-annual vulnerability assessments
Evaluate, assess, and test the security of in-house and external technology applications
Conduct a periodic risk assessment
Ensure cybersecurity personnel are properly trained and qualified

Who Is Affected?

A wonderful serenity has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart. I am alone, and feel the charm of existence in this spot, which was created for the bliss of souls like mine. I am so happy, my dear friend, so absorbed in the exquisite sense of mere tranquil existence, that I neglect my talents.
Licensed lenders
State-chartered banks
Trust companies
Service contract providers
Private bankers
Mortgage companies
Insurance companies doing business in New York
Non-U.S. banks licensed to operate in New York

HIPAA-COMPLIANCE AUDIT

The Good News about HIPAA Compliance

The good news about HIPAA compliance is that there are some specific steps you can take right now to help protect your patients’ ePHI – and protect yourself legally:
Perform a thorough HIPAA Risk Assessment
Write a set of HIPAA security policies and procedures
Train employees on HIPAA security
Provide security breach response steps and documentation
Ensure any business associates handling ePHI in your database is clear on their obligations

Why is it Important to be HIPAA-Compliant?

For one thing, HIPAA-compliance is the law. A quick Internet search will reveal that many companies have been fined $50,000, $100,000, even $1.5 million.But that’s not all. It’s estimated that the cost of recovering after a security breach is about $233 per medical record (2013 numbers) not including fines. These costs are the direct costs of contacting clients/patients, setting up a help desk and fielding extra phone calls, recovering and securing data, and investigating the data breach, as well as the indirect costs of losing clients due to your damaged reputation.

Common Findings of a HIPAA Risk Assessment

For some small clinics and private practices, the issue isn’t a lack of understanding of HIPAA as much as it is a lack of understanding the technology. Many believe that they have secured patient ePHI, only to find out that there are some serious problems. The most common problems are a:
lack of encrypted offsite data backup
lack of a disaster recovery plan
lack of email encryption
lack of laptop encryption
lack of mobile encryption (smartphones / tablets / USB drives, etc.)
lack of anti-virus protection
lack of security patching of servers and desktops
lack of security penetration and vulnerability testing
lack of security incident response procedures

HIPAA-COMPLIANCE AUDIT

HIPAA (Health Insurance Portability and Accountability Act of 1996), in its simplest form, is a set of rules for any person or company that handles electronic protected health information (ePHI).For one thing, HIPAA-compliance is the law. A quick Internet search will reveal that many companies have been fined $50,000, $100,000, even $1.5 million.

SOX 404

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the generalpublic from accounting errors and fraudulent practices in the enterprise, as well as to improve the accuracy of corporate disclosures.

SOX 404

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the generalpublic from accounting errors and fraudulent practices in the enterprise, as well as to improve the accuracy of corporate disclosures.

SOX Compliance Audit

A SOX compliance audit of a company’s internal controls takes place once a year. An independent auditor must conduct SOX audits. It is the company’s responsibility to find and hire an auditor. To avoid a conflict of interest, SOX audits must be separate from other internal audits undertaken by the company. A SOX audit must involve a review of the company’s financials. Auditors must inspect previous financial statements to confirm their accuracy. It is ultimately at the auditor’s discretion whether a company’s financials pass. Any variance in the numbers of more than 5% is likely to set off red flags.

Sarbanes-Oxley (SOX)

All public companies now must comply with SOX, in terms of both finances and IT.
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
RULES REQUIRED – The Commission shall prescribe rules requiring each annual report of Security Exchange Act to contain an internal control report, which shall—
State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting;
Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

ABA Opinion 483

Model Rule 1.1 – Competence.

A lawyer must have the legal knowledge, skill, thoroughness and preparation to represent a client. They must act reasonably to stop any data breach from happening. And, in the event of a data breach, they should be competent to take steps to limit the damage.

Model Rule 1.4

Communication. Lawyers are obliged to keep clients “reasonably informed” in the event of a data breach. Proper explanation is required “to the extent necessary to permit the client to make informed decisions regarding the representation.”

Model Rule 1.6

Confidentiality of Information. Lawyers should not breach confidentiality of information. They must take steps to ensure client information is protected against unauthorized access

ABA Opinioin 483

A lawyer must have the legal knowledge, skill, thoroughness and preparation to represent a client. They must act reasonably to stop any data breach from happening. And, in the event of a data breach, they should be competent to take steps to limit the damage. Communication. Lawyers are obliged to keep clients “reasonably informed” in the event of a data breach. 

CMMC

​FCI is information provided by or generated for the Government under contract not intended for public release.CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526.

CMMC

Federal Contract Information (FCI)

​FCI is information provided by or generated for the Government under contract not intended for public release.

Controlled Unclassified Information (CUI)

​CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

The CMMC framework

The framework is tier-based with five certification level to demonstrate contractor’s cybersecurity infrastructure and capability in safeguarding FCI and CUI. Each level is certified based on successful achievement and reflection of certain processes and practices.

The New York SHIELD Act

What is the SHIELD Act?

On July 25th, 2019, Andrew Cuomo, Governor of New York City signed the Stop Hacks and Improve Electronic Data Security Act, aka SHIELD. The main goal of SHIELD is to protect customers while ensuring stricter compliance regulations for companies that collect data and information from its citizens.

What do you need to know?

The Act covers a wider spectrum of businesses in New York
This act applies to any business that collects data from New York citizens and not just companies that conduct business in New York.

Who should pay attention?

Any company that has consumers in New York will need to comply with the Act. Technically any small or medium-sized company with even one customer in New York will need to comply with the act.

What is the SHIELD Act?

On July 25th, 2019, Andrew Cuomo, Governor of New York City signed the Stop Hacks and Improve Electronic Data Security Act, aka SHIELD. The main goal of SHIELD is to protect customers while ensuring stricter compliance regulations for companies that collect data and information from its citizens.

CompCiti Google 5-Star Rating
BBB Accreditation Logo

Contact CompCiti

Find Out How CompCiti Can Increase Your Cybersecurity and Keep Your Company Safe