What is New York’s SHIELD Act?
The New York Stop Hacks and Improve Electronic Data Security Act or SHIELD Act, was enacted on July 25, 2019, as an amendment to the New York State Information Security Breach and Notification Act. The law went into effect on March 21st of this year.
SHIELD Act requires companies to implement and maintain reasonable security measures. Affected businesses must deploy safeguards to protect the security, confidentiality, and integrity of private information of New York residents including, but not limited to, secure disposal of data. The SHIELD Act introduces significant changes including.
- Updating the Definition of “Private Information”. SHIELD broadens the definition of “private information” to also include biometric information, account numbers, credit/debit card numbers, username/email addresses in combination with passwords or security questions and answers.
- Expanding the Definition of “Data Breach”. SHIELD expands the definition of “breach of the security of a system” to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access.
- Expands the Protection/Territorial ScopeSHIELD expands the territorial application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident. Previously, the law was limited to those that conduct business in New York.
- Imposing Data Security RequirementsSHIELD requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.
What are the SHIELD Act’s Data Security Requirements?
The SHIELD Act does not mandate specific safeguards, but it does provide several examples of best practices that are considered reasonable administrative, technical, and physical safeguards. These examples suggest the kinds of safeguards businesses should be adopting.
Administrative Safeguards focus on internal organization, policies, procedures, and maintenance of security measures that protect consumer private information. Some administrative safeguards include:
- Designating individuals or teams responsible for security programs.
- Ensuring a risk assessment process is in place. This should identify reasonably foreseeable internal and external risks and assess your safeguards in place to mitigate those risks.
- Educating employees in best security practices.
- Maintaining and practicing disaster recovery and business continuity plans.
Physical Safeguards are measures, policies, and procedures to protect your organization’s electronic information systems. Some physical safeguards include:
- Preventing, detecting, and responding to intrusions.
- Protecting against unauthorized access or use of private information.
- Assessing risks of information of storage and disposal of confidential information.
Technical safeguards are measures that protect and control access to private information. Some technical safeguards include:
- Network and software security technologies.
- Risk assessments for the organization’s information processing, transmission, and storage of data.
- Regular tests and monitoring effectiveness of key controls, systems, and procedures.
- Using multi-factor authorization and deploying encryption and data loss prevention tools.
How to Comply with the SHIELD Act
Businesses in New York State have two options to meet the requirements of the SHEILD Act. They can either do it in-house, or outsource the task to a managed service provider who specializes in cybersecurity for New York small businesses.
Do it Yourself: Meet Compliance Requirements In-House
For New York businesses with the resources and expertise, complying with the SHEILD Act can be achieved in-house. The in-house team can follow the resources provided by the National Institute of Standard and Technology (NIST), namely the MEP National Network Cybersecurity Assessment Tool. We recommend the NIST cybersecurity framework because it goes above and beyond the compliance requirements, while also providing a high-level of cybersecurity protection for today’s modern business.
If the business does not have the expertise to meet the security requirements themselves, they have the option to outsource to a Managed Security Service Provider, or MSSP.
Outsourcing to an MSSP
For many small businesses, the most effective way to comply with the SHIELD Act is to outsource to an MSSP. MSSPs are a specialized group of Managed Service Providers (also known as IT companies) who also provide cybersecurity services for small businesses. The requirements of the SHIELD Act can be outsourced in confidence to this type of provider.
When working with an MSSP, small businesses can expect the following process:
The Gap Analysis:
The first step toward SHIELD Act compliance is for the MSSP to conduct a gap analysis or assessment on the network. It’s called a gap analysis because it determines how close, or how far away, an IT system is from compliance.
The Remediation Plan:
The gap analysis will become the basis for the remediation plan. The remediation plan details the steps to be taken to implement the requirements of the SHIELD Act. These steps can be fulfilled by the MSSP or be completed in-house. The MSSP will follow the step by step plan and implement the security control required to be compliant.
On-Going Cybersecurity Monitoring:
On-going cybersecurity monitoring ensures small businesses are able to detect and respond to security breaches on their network. An MSSP will have these tools and resources (For example, Corsica’s Security Operations Center, or SOC) to watch the network 24/7/365. They’ll be able to detect breaches on the network and respond to them in accordance with SHIELD Act requirements.
What are the Penalties for Failing to Comply with the SHIELD Act?
If your organization fails to implement a compliant information security program, it can result in injunctive relief and civil penalties of up to $5,000 per violation.
If a cybersecurity incident does occur and involves the private information of more than 500 New York Residents, a written notice must be provided to the New York Attorney General within ten days after the determination. Businesses that fail to comply with this breach notification requirement can be held liable for the “actual costs or losses incurred by a person entitled to notice.” In addition, if the organization violates this provision, a civil penalty could be enforced—the greater of $5,000 or $20 per instance of failed notification, up to a maximum of $250,000 fee.
If you’re struggling to understand the SHIELD Act or are unsure whether your organization meets the requirements, Corsica Technologies is here to help. Our dedicated security team can answer any questions you may have or can conduct a Security Posture Review to see where you stand. Please reach out to our team either here or call us at (877) 659-2261.