Popular Posts

The Most Common Third-Party Cyber Gaps Revealed

4 Ways to See if You Are at Risk of a Vendor…

In light of concerns over a growing number of cybersecurity threats and data breaches, New York State recently passed stricter cybersecurity laws under the NY SHIELD Act. These data security requirements took effect on March 21, 2020. What are these new laws and how do you ensure your third parties are compliant?
At a basic level, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires organizations to implement protective measures to secure private data belonging to NY residents. This act also expands on existing data protection laws, Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and New York Department of Financial Services (NYDFS). Under the SHIELD Act, if a breach affects more than 500 New York residents, the organization must report the breach to the NY state attorney general within 10 days of first realizing a breach took place. This is similar to the GDPR data breach notification requirements.
Penalties for a breach under the SHIELD Act have increased. For example, failure to notify the attorney general of a breach went from $10 to $20 per failed notification. The maximum monetary fine jumped from $100,000 to $250,000.
The SHIELD act applies to organizations inside and outside of New York. For example, a restaurant in Brooklyn and an entrepreneur collecting emails from leads are both required to comply with the SHIELD Act. If the entrepreneur has just one lead from New York, they are legally bound by the Act.
The SHIELD Act expands on three areas of existing NY data privacy and security laws:
The NY SHIELD Act protects “private information,” which has already been defined by the state of New York. However, the SHIELD Act expands that definition.
Private information now includes a person’s Social Security number, driver’s license number, bank account number, credit card number and biometric information along with usernames and passwords and even email addresses that can be used to access an account.
Adding biometric information to the list of private information greatly expands the type of data covered by this law. For example, a machine shop that has employees clock in using a thumbprint is now bound by the SHIELD Act to protect those fingerprints.
Complying with the NY SHIELD Act will look different for every organization. Like the GDPR regulation, the SHIELD Act provides a mandate for the end result (data protection), but each organization must achieve compliance on their own. In other words, there are no specific rules for compliance, and organizations can tailor their security strategy according to individual needs.
Some examples of compliance strategies organizations might implement include:
A breach that happens to a third-party vendor is considered a breach to the organization. This was a hard lesson for Toyota to learn. Unfortunately, breaches to subsidiaries and vendors occur frequently.
It’s not enough for an organization to have their own data security protocols and protections in place if their vendors and subsidiaries aren’t using the same high standards. If any customer data passes through those third parties, and a data breach occurs, the organization will be held responsible—not the third party.
It is imperative for you to know if your vendors meet all relevant regulatory compliance requirements. Depending on your industry, you might be bound by several compliance regulations. For example, you could be required to comply with GDPR, HIPAA and the NY SHIELD Act. While some of the regulations overlap, others don’t.
The best way to ensure compliance is to create strict compliance contracts as part of the onboarding process with your vendors. The only way to verify compliance is through talking to your vendors and performing penetration testing.
You need to know if your vendors are compliant with New York State’s new law, and if not, you need a game plan for helping them achieve compliance. That’s where Panorays can help.
With Panorays’ customizable Smart Questionnaires™, you can easily and quickly determine which vendors need to comply with which regulations.
Our automated platform uses a variety of techniques to determine where your vendors stand in terms of security posture. We can assess how well they protect their network and identify vulnerabilities that could cause a breach. We’ll inform you and your vendors of any vulnerabilities we find, along with suggestions of how to remediate them so your vendors will achieve compliance. Moreover, Panorays makes it easy to maintain the necessary documents for regulations like NY SHIELD Act right on the platform.
Want to learn more? Request a free Panorays demo to learn how we can help you and your third parties be compliant with the NY SHIELD Act.