In short, the Act requires all licensees to undergo a data risk assessment and then develop an appropriate, comprehensive written data security information plan for the agency that also addresses third-party service
providers with nonpublic data access. Licensees must also notify the Department within 72 hours in determining that a cybersecurity event has occurred. The new law will become effective on Jan. 1, 2019 with various steps for compliance through February 2020. Key implementation dates of the Act are listed.
[+]