What is the New York SHIELD Act?
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a cyber security law that came into effect on March 21st, 2020. The objective of the Act, in line with its well-suited abbreviation, is to amend New York’s data breach notification law. It applies to “any person or entity with private information of a New York Resident, not just to those that conduct business in New York State.”
As most of us know, data breaches (unauthorized access) are becoming increasingly common and hackers are more sophisticated now than ever before. Consequently, over the last few years, we have witnessed more substantial breaches than ever.
In 2017, the credit reporting agency Equifax experienced a severe data breach of the personal data of approximately 147 million people. Instances like this have only accentuated the repercussions of high-profile hacking and prompted the revision of previous legislation, resulting in the creation of the SHIELD Act.
What does the NY SHIELD Act mean for data security regulations, and who does it apply to?
By addressing gaps in New York’s information security law, the SHIELD Act is designed to keep private information safe and provide notification when a data breach occurs. It does so in four ways:
First, it broadens the definition of ‘private information’ to include personal information (such as a name, number, or personal mark) which could identify a person naturally in combination with one or more of the following data elements “when either the data element or the combination of personal information plus the data element is not encrypted or is encrypted with an encryption key that has also been accessed or acquired.”
So, what does private information refer to? Below we have listed data elements of private information as specified in the official Act:
- Social security number
- Driver’s license number or non-driver identification card number
- Account number
- Credit or debit card number combined with any required security or access code, password or other information that would authorize access to an individual’s financial account
- Username or email address in combination with a password that would allow access to the account
- Biometric information (such as a fingerprint, voiceprint or iris image)
Second, it broadens the definition of ‘breach’ to include unauthorized access to private information maintained by a business.
Third, it expands the territorial scope of the breach notification requirements to any individual(s) and businesses that collect private information regarding residents of New York State.
Fourth, it imposes data security requirements that require businesses to implement “reasonable safeguards” to protect the security, privacy, and integrity of private information. See our ‘how to comply’ section/page/link to explore the specific measures businesses must adopt to comply with the Act.
Although maintaining good cyber-hygiene isn’t always easy, setting a standard that companies are required to meet is definitely a step in the right direction.
A checklist for NY SHIELD compliance
The Act requires companies that own or license private data from any New York resident to set up and/or assess their current information security data collection programs. Even if you don’t run your business in New York, you may possess the private information of someone who lives in the state. So, to comply, you must implement a data security program that includes these reasonable safeguards:
- Designates one or more employees to coordinate the cybersecurity program
- Identifies reasonably foreseeable internal and external risks
- Assesses the sufficiency of safeguards in place to control the identified risks
- Trains and manages employees in the security program practices and procedures
- Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
- Adjusts the security program in light of business changes or new circumstances
- Assesses risks in the network and software design
- Assesses risks in how information is processed, transmitted, and stored
- Detects, prevents, and responds to attacks or system failures
- Regularly tests and monitors the effectiveness of key controls, systems, and procedures
- Assesses risks of information storage and disposal
- Detects, prevents, and responds to intrusions
- Protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
Although these requirements might appear overwhelming, companies now have a legal duty to keep private information and data secure. So, your business is responsible for the mitigation of risk that could compromise that.
How is the NY SHIELD Act enforced in the event of a data breach?
If a breach occurs, involving the private information of over 500 New York citizens, you have ten days to notify the New York Attorney General in a written notice and are required to notify your customers. Failure to do so inevitably results in a large fine ranging from $5,000 to $250,000 depending on the severity of the breach.
How can attack surface management help?
Attack surface management technology can help maintain compliance as part of your wider security program. By having visibility of your complete attack surface you are able to understand your potential cyber risk and manage vulnerabilities quickly and efficiently. Modern IT environments change constantly so by continuously detecting and scanning your assets you are taking a proactive approach to securing your web applications and network from potential threats.
Book a demo to learn more about how we can help give you visibility of your attack surface.