What is the NY SHIELD Act and How Can You Be Sure Your Third Parties Are Compliant?
In light of concerns over a growing number of cybersecurity threats and data breaches, New York State recently passed stricter cybersecurity laws under the NY SHIELD Act. These data security requirements took effect on March 21, 2020. What are these new laws and how do you ensure your third parties are compliant?
Get the best third-party security content sent right to your inbox
Thanks for subscribing!
What is the NY SHIELD Act?
At a basic level, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires organizations to implement protective measures to secure private data belonging to NY residents. This act also expands on existing data protection laws, Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and New York Department of Financial Services (NYDFS). Under the SHIELD Act, if a breach affects more than 500 New York residents, the organization must report the breach to the NY state attorney general within 10 days of first realizing a breach took place. This is similar to the GDPR data breach notification requirements.
Penalties for a breach under the SHIELD Act have increased. For example, failure to notify the attorney general of a breach went from $10 to $20 per failed notification. The maximum monetary fine jumped from $100,000 to $250,000.
Who is bound by the NY SHIELD Act?
The SHIELD act applies to organizations inside and outside of New York. For example, a restaurant in Brooklyn and an entrepreneur collecting emails from leads are both required to comply with the SHIELD Act. If the entrepreneur has just one lead from New York, they are legally bound by the Act.
The SHIELD Act expands on three areas of existing NY data privacy and security laws:
- Breach notification requirements. Inadvertent disclosures of private data must be reported with limited exceptions.
- The definition of “private information.” Additional data is now protected. For example, a debit card number without a PIN number is protected if the PIN number isn’t needed to cause damage.
- The definition of “breach.” Under this new law, unauthorized access is considered a breach. Previously, only unauthorized acquisition of data was considered a breach. This expansion greatly increases an organization’s data security responsibilities.
This means that if an employee falls victim to a phishing attack, it doesn’t matter if the organization can prove that no sensitive data was taken. The fact that the hacker gained unauthorized access to an account that may have enabled access to private information is enough to be considered a breach.
What data does the NY SHIELD Act protect?
The NY SHIELD Act protects “private information,” which has already been defined by the state of New York. However, the SHIELD Act expands that definition.
Private information now includes a person’s Social Security number, driver’s license number, bank account number, credit card number and biometric information along with usernames and passwords and even email addresses that can be used to access an account.
Adding biometric information to the list of private information greatly expands the type of data covered by this law. For example, a machine shop that has employees clock in using a thumbprint is now bound by the SHIELD Act to protect those fingerprints.
What does real-world compliance look like?
Complying with the NY SHIELD Act will look different for every organization. Like the GDPR regulation, the SHIELD Act provides a mandate for the end result (data protection), but each organization must achieve compliance on their own. In other words, there are no specific rules for compliance, and organizations can tailor their security strategy according to individual needs.
Some examples of compliance strategies organizations might implement include:
- Developing a strict IT security plan that bans BYOD (Bring Your Own Device) options.
- A policy that requires remote employees to log into the company network from a secure Wi-Fi network, as opposed to working from a coffee shop.
- Buying a VPN subscription for all remote employees to ensure data and browsing activity is encrypted, while still banning the use of public, unsecured Wi-Fi.
- Having a strong next generation firewall in place along with other automated security protocols that detect, isolate and analyze threats in real time.
- Training HR personnel to train all managers to follow the company’s IT security protocols.
- Mandatory employee training that includes a strict policy against sharing credentials.
- Using biometrics to grant access to physical spaces that contain private information.
- Requiring third-party vendors to uphold the company’s IT security standards to ensure all vendors are compliant with the NY SHIELD Act.
- Encrypting all company emails end-to-end and creating a policy prohibiting sending personal information through an unencrypted email.
- Implementing a plan for destroying paper and electronic documents containing protected information.
- Prohibiting company laptops and hard drives from leaving the office. For remote teams, requiring a biometric key to unlock the device.
- Implementing ongoing, automated risk assessment.
Organizations need to beware of third-party vendor breaches
A breach that happens to a third-party vendor is considered a breach to the organization. This was a hard lesson for Toyota to learn. Unfortunately, breaches to subsidiaries and vendors occur frequently.
It’s not enough for an organization to have their own data security protocols and protections in place if their vendors and subsidiaries aren’t using the same high standards. If any customer data passes through those third parties, and a data breach occurs, the organization will be held responsible—not the third party.
How do you know if your vendors meet regulatory compliance for the NY SHIELD Act?
It is imperative for you to know if your vendors meet all relevant regulatory compliance requirements. Depending on your industry, you might be bound by several compliance regulations. For example, you could be required to comply with GDPR, HIPAA and the NY SHIELD Act. While some of the regulations overlap, others don’t.
The best way to ensure compliance is to create strict compliance contracts as part of the onboarding process with your vendors. The only way to verify compliance is through talking to your vendors and performing penetration testing.
How Panorays can help
You need to know if your vendors are compliant with New York State’s new law, and if not, you need a game plan for helping them achieve compliance. That’s where Panorays can help.
With Panorays’ customizable Smart Questionnaires™, you can easily and quickly determine which vendors need to comply with which regulations.
Our automated platform uses a variety of techniques to determine where your vendors stand in terms of security posture. We can assess how well they protect their network and identify vulnerabilities that could cause a breach. We’ll inform you and your vendors of any vulnerabilities we find, along with suggestions of how to remediate them so your vendors will achieve compliance. Moreover, Panorays makes it easy to maintain the necessary documents for regulations like NY SHIELD Act right on the platform.
Want to learn more? Request a free Panorays demo to learn how we can help you and your third parties be compliant with the NY SHIELD Act.