Last review date: 31 December 2024

Yes.

Last review date: 31 December 2024

Yes

If yes, under what circumstances?

☒   other

Privacy and security officer requirement under HIPAA. Additionally, under the GLBA's Safeguards Rule passed in 2021 by the FTC, a financial institution must have a "qualified individual" overseeing the implementation of its information security program. In addition, the NYDFS CR requires the designation of a chief information security officer.

Last review date: 31 December 2024

Yes.

If yes, what are these requirements?

☒   other

HIPAA does not set out express requirements, but the HIPAA privacy and security officers must be qualified to administer the respective obligations under the HIPAA Privacy and Security Rules. The GLBA states that qualified individuals overseeing information security programs must have "some level of information security training and knowledge." NYDFS CR specifies that the designated chief information security officer must be qualified and responsible for overseeing and implementing the covered entity's cybersecurity program and enforcing its cybersecurity policy and must report in writing at least annually to the covered entity's board of directors or equivalent governing body.

Last review date: 31 December 2024

No, but exceptions do apply. For example, Vermont and California require data brokers to register and there are other registration requirements that are emerging.