NY Data Law Takes Effect

NEW YORK -- New data privacy rules in New York state are making life more difficult for affected companies, warned IT managers and CIOs attending this week's Interop tradeshow.

Last week, New York's Information Security Breach and Notification Act went into effect; thus forcing companies to rethink how they handle data and report breaches. It applies to "state entities and persons or businesses conducting business in New York who own or license computerized data which includes private information."

Behind the legalese is this: Lawmakers in New York are prepared to come down hard on firms that lose sensitive infomation. Failure to disclose data breaches to consumers may result in fines of up to $150,000. Although there is no specified timeframe for reporting a breach, the law urges users to do so "in the most expedient time possible without unreasonable delay."

The act, which follows similar legislation in California, comes after a number of high-profile corporate data snafus. (See Financial Security: Priceless, Don't Be a Data Privacy Dunce and IT Managers Sweat Security.)

But IT execs at Interop are concerned about adding yet another layer of control to systems already straining under a slew of compliance requirements. (See Users Splash Cash on SOX.) "We're really struggling," admitted the vice president of technology of a systems integrator in the financial services sector, who asked not to be named. "It's very difficult. We spend so much time scrutinizing what products to bring into our environment."The exec thinks continuous data protection (CDP) technology will help him meet his compliance commitments, but he warns that he can't get what he needs "without spending $300,000 or $400,000."

He's not alone. A recent Byte and Switch Insider report -- this sites paid subscription research service -- "Continuous Data Protection: Backup to the Future," indicates that more progress is needed in the area of CDP, which aims to help firms recover critical data quickly.

An IT manager from a New York-based Web-hosting firm agreed that the law is a potential headache. "There are places in our organization where this is going to be a major issue," he explained. He's particularly concerned with the customer-facing parts of his business. "It's going to add another layer of cost to everything that our clients do."

But the manager thinks his firm can handle the strain on its back-end systems. "We have a lot of people with Department of Defense-type expertise that are dealing with these types of issues," he said.

One organization that knows a thing or two about security is San Diego State University (SDSU), which suffered its own data exposure last year when a department file server was hacked. Michael Reeves, director of computer services at the SDSU research foundation, urged companies and organizations in New York to take the data privacy legislation seriously. "The fines are unreal," Reeves said. "It will change the way they handle their data, most definitely."SDSU intends to add additional layers of security to its systems. This may involve encrypting student names on an Oracle database. Reeves added that the University also wants better visibility into its systems. "The tools that we're looking at are to see whether there has been any type of intrusion," he explained. If there's a machine the IT group suspects has been breached, they have to undertake forensics-type work on it.

Controlling who gets access to what is big business at the moment. But users have already voiced their concerns about the offerings currently on the market. The head of security at Web-hosting giant Savvis, for example, recently bemoaned the lack of interoperability among different security products. (See Savvis Cites Security Challenges.)

Earlier this year at an Interop show in Las Vegas, users complained that current identity management products did not offer the breadth of functionality they need. (See CIOs Face Identity Crisis.)

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article: