fbpx
Search
Close this search box.

SHIELD Act Compliance: The Definitive Guide for New York Businesses

New York City skyline in the evening.

The New York Stop Hacks and Improve Electronic Data Security Act or SHIELD Act, was enacted on July 25th, 2019, as an amendment to the New York State Information Security Breach and Notification Act. The law went into effect on March 21st of this year. SHIELD Act bill broadens the scope of information covered under the notification law and updates breach notification requirements when there has been a breach of data.

What Is New York’s SHIELD Act?

SHIELD Act requires companies to implement and maintain reasonable security measures. Affected businesses must deploy safeguards to protect the security, confidentiality, and integrity of private information of New York residents including, but not limited to, secure disposal of data. The SHIELD Act introduces significant changes including.

  • Updating the Definition of “Private Information”
    SHIELD broadens the definition of “private information” to also include biometric information, account numbers, credit/debit card numbers, username/email addresses in combination with passwords or security questions and answers.
  • Expanding the Definition of “Data Breach”
    SHIELD expands the definition of “breach of the security of a system” to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access.
  • Expands the Protection/Territorial Scope
    SHIELD expands the territorial application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident. Previously, the law was limited to those that conduct business in New York.
  • Imposing Data Security Requirements
    SHIELD requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including cybersecurity risk assessments, employee training, vendor contracts, and timely data disposal.

What Are the SHIELD Act’s Data Security Requirements?

The SHIELD Act does not mandate specific safeguards, but it does provide several examples of best practices that are considered reasonable administrative, technical, and physical safeguards. These examples suggest the kinds of safeguards businesses should be adopting.

Administrative Safeguards focus on internal organization, policies, procedures, and maintenance of security measures that protect consumer private information. Some administrative safeguards include:

  • Designating individuals or teams responsible for security programs.
  • Ensuring a risk assessment process is in place. This should identify reasonably foreseeable internal and external risks and assess your safeguards in place to mitigate those risks.
  • Educating employees in best security practices.
  • Maintaining and practicing disaster recovery and business continuity plans.

Download our New York SHIELD Act Compliance Guide

Physical Safeguards are measures, policies, and procedures to protect your organization’s electronic information systems. Some physical safeguards include:

  • Preventing, detecting, and responding to intrusions.
  • Protecting against unauthorized access or use of private information.
  • Assessing risks of information of storage and disposal of confidential information.

Technical Safeguards are measures that protect and control access to private information. Some technical safeguards include:

  • Network and software security technologies.
  • Risk assessments for the organization’s information processing, transmission, and storage of data.
  • Regular tests and monitoring effectiveness of key controls, systems, and procedures.
  • Using multi-factor authorization and deploying encryption and data loss prevention tools.

How to Comply with the SHIELD Act

Businesses in New York State have two options to meet the requirements of the SHEILD Act. They can either do it in-house, or outsource the task to a managed service provider who specializes in cybersecurity for New York small businesses. 

Do it Yourself: Meet Compliance Requirements In-House

For New York businesses with the resources and expertise, complying with the SHEILD Act can be achieved in-house. The in-house team can follow the resources provided by the National Institute of Standard and Technology (NIST), namely the MEP National Network Cybersecurity Assessment Tool. We recommend the NIST cybersecurity framework because it goes above and beyond the compliance requirements, while also providing a high-level of cybersecurity protection for today’s modern business. 

 If the business does not have the expertise to meet the security requirements themselves, they have the option to outsource to a Managed Security Service Provider, or MSSP. 

Outsourcing to an MSSP

For many small businesses, the most effective way to comply with the SHIELD Act is to outsource to an MSSP. MSSPs are a specialized group of Managed Service Providers (also known as IT companies) who also provide cybersecurity services for small businesses. The requirements of the SHIELD Act can be outsourced in confidence to this type of provider.  

When working with an MSSP, small businesses can expect the following process:

The Gap Analysis: 

The first step toward SHIELD Act compliance is for the MSSP to conduct a gap analysis or assessment on the network. It’s called a gap analysis because it determines how close, or how far away, an IT system is from compliance. 

The Remediation Plan: 

The gap analysis will become the basis for the remediation plan. The remediation plan details the steps to be taken to implement the requirements of the SHIELD Act. These steps can be fulfilled by the MSSP or be completed in-house. The MSSP will follow the step by step plan and implement the security control required to be compliant.

On-Going Cybersecurity Monitoring:

On-going cybersecurity monitoring ensures small businesses are able to detect and respond to security breaches on their network. An MSSP will have these tools and resources (For example, Corsica’s Security Operations Center, or SOC) to watch the network 24/7/365. They’ll be able to detect breaches on the network and respond to them in accordance with SHIELD Act requirements.

What Are the Penalties for Failing to Comply With the SHIELD Act?

If your organization fails to implement a compliant information security program, it can result in injunctive relief and civil penalties of up to $5,000 per violation.

If a cybersecurity incident does occur and involves the private information of more than 500 New York Residents, a written notice must be provided to the New York Attorney General within ten days after the determination. Businesses that fail to comply with this breach notification requirement can be held liable for the “actual costs or losses incurred by a person entitled to notice.” In addition, if the organization violates this provision, a civil penalty could be enforced—the greater of $5,000 or $20 per instance of failed notification, up to a maximum of $250,000 fee.

If you’re struggling to understand the SHIELD Act or are unsure whether your organization meets the requirements, Corsica Technologies is here to help. Our dedicated security team can answer any questions you may have or can conduct a Security Posture Review to see where you stand. Please reach out to our team either here or call us at (855) 411-3387.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

IT Outsourcing Company Trends - Corsica Technologies

11 Emerging Trends in Technology and IT Outsourcing

Things change fast in the world of technology. From emerging trends in cybersecurity to EDI and data integration, it’s challenging for midmarket companies to meet the technology needs of their internal and external customers. For many organizations, outsourcing is the

Read more
EDI Issues and Challenges - Corsica Technologies

7 Pitfalls To Avoid On Your EDI Journey

Electronic Data Interchange (EDI) is an essential technology for exchanging transactional data between business partners, also known as Trading Partners in the EDI community. From orders, invoices, and advance shipment notifications to benefit enrollments, claims processing, and payment authorizations, numerous

Read more
Cybersecurity Trends 2024 - Corsica Technologies

10 Cybersecurity Trends Emerging In 2024

When it comes to cybersecurity, things are never static. So far, 2024 is consistent with this theme. We’re seeing a mix of familiar trends intensifying alongside startling new developments. From the cybersecurity skills crunch to AI-powered attacks, 2024 is shaping

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.