Cybersecurity / Privacy regulations

A data privacy culture means embedding the understanding and importance of data protection into the everyday mindset and behaviors of all employees, not just adhering to formal policies or compliance checklists. It involves leadership communicating the 'why' behind data protection, continuous role-specific training, and encouraging open discussions about data privacy risks and decisions, making data protection a shared responsibility across the organization.

Leadership is crucial because it sets the tone and priority for data privacy within the organization. When executives clearly communicate the value of data protection and integrate it into business decisions, it signals to all employees that privacy is a core organizational value. This top-down commitment helps foster a shared sense of accountability and vigilance, which is essential for reducing risks and maintaining customer trust.

The proposed regulations apply to water and wastewater utilities in New York State that serve more than 3,300 people. Larger utilities serving over 50,000 customers have additional requirements, such as designating a cybersecurity program leader and implementing network monitoring and logging.

The key requirements include implementing cybersecurity incident response plans, reporting incidents to the Department of Health within 24 hours, conducting annual cybersecurity vulnerability assessments, establishing formal cybersecurity programs, ensuring network monitoring and logging, and providing mandatory cybersecurity training for certified wastewater operators.

NIS2 is a directive aimed at strengthening cybersecurity across a broad range of essential and important sectors such as energy, healthcare, and transport, focusing on risk management, incident reporting, and governance. DORA is a regulation specifically targeting the financial sector, emphasizing operational resilience through rigorous ICT risk management, resilience testing, and incident reporting. While NIS2 sets broader cybersecurity objectives, DORA mandates more prescriptive and detailed requirements, including annual security testing and specific incident reporting timelines. DORA also overrides NIS2 in overlapping areas for entities subject to both regulations.

Both NIS2 and DORA require organizations to report cybersecurity incidents in multiple stages, but their timelines and definitions differ. Under NIS2, entities must notify authorities within 24 hours of becoming aware of an incident, provide a detailed report within 72 hours, and submit a final report within one month. DORA also requires three reports but allows more flexible deadlines set by competent authorities, focusing on incidents that impact critical or important financial services. The definitions of reportable incidents vary, with NIS2 having a broader scope and DORA focusing on major ICT-related incidents affecting financial sector functions.

A reasonable information security program typically includes strong authentication and access controls such as multi-factor authentication, data masking and anonymization techniques like tokenization and pseudonymization, employee training and awareness programs, and procedures to protect against unauthorized access or data breaches. It also involves regular updates to security measures to keep pace with evolving technology and threats.

Entities covered by safeguarding customer information policies, such as financial firms under SEC Regulation S-P or businesses subject to the FTC Safeguards Rule, must implement safeguards to protect customer information. Their responsibilities include maintaining security and confidentiality of customer data, protecting against anticipated threats, providing privacy notices to customers, and reporting certain data breaches. They must also develop identity theft prevention programs and ensure employee training on security practices.