What’s in the new draft regulations?
The new draft regulations appear to be very similar to the prior draft regulations that were published April 1. Here are a few key takeaways from the new draft:
- Scope of audit expressly includes all affiliates of the holder and any and all records. (In the VDA program, the holder may determine the scope of entities included to some degree, but will only obtain release for those entities.)
- Nondisclosure agreements: A form nondisclosure agreement (“NDA”) is no longer required, although a sample is provided. In contrast to the prior draft regulation, the new draft no longer requires adherence to the security standards outlined by the International Organization for Standardization, but rather permits a security standard to be tailored by the auditor. The new draft regulation continues to allow auditors to retain the holder’s documents for as long as the auditor is contracting with the state. However, the new draft, like the prior draft, also prohibits an auditor from soliciting other states once an NDA is signed, and provides certain data security breach protections to the holder.