Boris Segalis and Nihar Shah provide some follow-up to a data security breach at New York State Electric & Gas and Rochester Gas and Electric that was disclosed in January. As I noted in July, regulators criticized NYSEG over the breach that had affected 1.8 million.
Segalis and Shah write:
The Commission subsequently issued an “Order Directing a Report on Implementation of Recommendations” that expanded on many of the recommendations in the Commissioner’s initial statements, and described in detail the ways in which the Commissioner found NYSEG to have failed to adequately protect its customers’ PII.
The Commission conducted an exhaustive inquiry into NYSEG’s data security practices and found several instances in which the utility was not employing best practices and industry standards to protect PII. The Order referred to the NIST (2010) Recommended Security Controls for Federal Information Systems and Organizations as well as best practices set forth in the Family Educational Rights and Privacy Act (FERPA) as the baseline for benchmarking NYSEG’s relevant practices. The Commission benchmarked NYSEG’s data security practices in eight areas:
Read more on InfoLawGroup.