New York

New York Data Privacy Compliance Consulting Services

Appolo Compliance helps organizations in the greater New York area manage privacy programs to meet New York legal compliance requirements. Under New York law, organization must comply with detailed minimum standards to safeguard personal information of New York residents.

Data Protection & Customer information Security

In response to the rapid uptick in breaches involving personal data, more privacy regulations are coming into effect at the local, state, federal, and international levels. As these privacy regulations come into effect, companies are quickly recognizing that effective privacy management is not just a key compliance activity but also a key factor in business enablement in the digital economy.

We design privacy programs that promote the protection of customer information as well as the information technology systems.

Compliance & Risk Assessment Process

We partner with our clients to help them conduct periodic risk assessment of their Information Systems sufficient to inform the design of their privacy and cybersecurity programs. Such risk assessment is updated as reasonably necessary to address changes to our clients’ Information Systems, Nonpublic Information or business operations. These risk assessments allows for revision of controls to respond to technological developments and evolving threats to protect Nonpublic Information and Information Systems.

Our Risk Assessment Process

We help organizations manage privacy programs to meet New York legal compliance requirements and the expectations of business partners and customers while reducing the risk of data breach.

New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
  • Strengthened New York’s breach notification law.
  • Broadened the circumstances for when a breach needs to be reported.
  • Requires any organization who collect NY residents’ personal data to implement a data security program providing reasonable safeguards to protect that data.
  • Who must comply?
    • Organizations who possess personal data from NY residents.
New York Department of Financial Services (NY DFS Cybersecurity Regulations)
  • Created cybersecurity standards for financial organizations in New York.
  • Organizations must conduct risk assessments; maintain audit trails; dispose of data securely; limit access; develop a written cybersecurity policy; designate a Chief Information Security Officer; and abide by other best practices for cybersecurity.
  • Organizations must report data security breaches to the Department within 72 hours of detection.
  • Who must comply?
    • Any organization regulated by the NYDFS.

General Data Protection Regulation (GDPR)

The General Data Protection Act (GDPR) became law in the European Union (EU) in May 25, 2018. The GDPR covers organizations with assets and employees in the EU, to companies who target and sell to individuals in the EU, and to data that is stored in the EU. The GDPR, provide individuals more control over their personal data by granting them the following rights. Individuals covered by the GDPR have the right to be informed regarding an organization’s collection and use of their information. The right to access your personal data and request rectification. The right to restrict processing of personal data. The right to data portability. The right to not be subject to automated decision-making. And the right to request that all information within an organization’s control be deleted.

Under the GDPR, sensitive personal data is afforded more protection than personal data. Sensitive personal data includes, race or ethnic origin, political opinions, religious belief, genetic data, biometric data, health data and sexual orientation. The GDPR defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. If and unauthorized individual gains access to personal data, a data breach has occurred.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Protection and Accountability Act of 1996 (HIPAA), as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) protect medical information within the United-States healthcare industry. HIPAA does not preempt stricter state privacy laws. The Privacy Rule standards address the use and disclosure of individual health information also know as protected health information (PHI) by organizations subject to the HIPAA. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations knows as covered entities must put in place to secure individuals electronic protected health information(e-PHI). Within the Secretary of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Covered entities must designate a privacy official who is responsible for the development and implementation of privacy protection, and as the point of contact for any privacy related issues. Under the Privacy Rule, individuals have the right to access and copy their own PHI from a covered entity or a business associate. Individuals have the right to receive an accounting of certain disclosures of their PHI that have been made. Covered entities must implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was enacted by the PCI Security Standards Council (PCI SSC) to combat financial fraud. Specifically, to protect against criminals stealing and using personal consumer financial information from payment card transactions and processing systems. PCI DSS created standards of practice for businesses that process credit card data. These standards of practices enhanced cardholder data security and facilitates the broad adoption of consistent data security measures globally. PCI DSS applies to merchants and other entities that store, process or transmit cardholder data and/or sensitive authentication data. Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card.

The PCI SSC is enforced by the founding members of the council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. PCIS DSS provides an enforceable security standard without the involvement of a government agency.

Gramm-Leach-Bliley Act (GLBA)

GLBA applies to financial institutions. GLBA regulates financial institution management of nonpublic personal information defined as personally identifiable financial information provided by a consumer to financial institution. GLBA requires financial institutions to protect consumers’ nonpublic personal information. Banking and related financial institutions that fail to comply with GLBA requirements can be subject to substantial penalties. At the state level, state attorneys general can enforce GLBA. Stricter state laws are not preempted under GLBA.


CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

California Consumer Privacy Act (CCPA)

The CCPA became law in California on June 28, 2018. The CCPA gives consumers more control over the personal information that businesses collect about them. Moving forward, businesses that target California residents must protect certain consumer privacy rights. Under the CCPA, California resident have numerous privacy rights. These include, the right to know what personal information is collected. The right to request their personal information be deleted. The right to opt out of the sale of their personal information. And the right to non-discrimination for exercising the rights provided by the CCPA.

The CCPA provides consumers a private right of action and is the first U.S. statute to allow consumers to recover statutory damages as a result of data breaches. Under the CCPA, California residents have special remedies for data breaches including statutory damages between $100 and $750 per incident. The CCPA is enforced by the California Attorney General’s office.

Serving Greater New York Businesses

We are committed to helping organizations in the greater New York area identify areas where compliance is difficult in practice, and design policies to close gaps between stated policies and actual operations.

About New York

New York City is a is the financial capital of the world. New York is the leading state in financial cybersecurity regulations. As the economic center of the world, New York attracts a lot of international business. Appolo Compliance is committed to helping organizations in the greater New York City area establish privacy programs to comply with privacy laws.