In light of concerns over a growing number of cybersecurity threats and data breaches, New York State passed stricter cybersecurity laws under the NY SHIELD Act. These data security requirements took effect on March 21, 2020. What are these new laws and how have they expanded the definition of a data breach and the obligations of companies with personal information of New York residents? And lastly, how do you ensure your third parties are compliant?
What is the NY SHIELD Act?
In the case of a data breach, the NY SHIELD Act requires all global companies that store data containing personal information of individuals residing in New York to provide notification regarding the breach. The notification informs NY residents that their personal information was accessed. The notification informs NY residents that their personal information was accessed.
At a basic level, the Stop Hacks and Improve Electronic Data Security Act (SHIELD) expands on the previous data breach notification law. This law requires notification of a data breach of the personal information of a New York resident or businesses located in the state of New York. The NY SHIELD Act now requires organizations to implement protective measures to secure data containing private information belonging to New York residents, regardless of where the business is located.
This act also expands on existing data protection laws, Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and New York Department of Financial Services (NYDFS). Under the SHIELD Act, if a breach affects more than 500 New York residents, the organization must report the breach to the New York state attorney general within 10 days of first realizing a breach took place. This is similar to the GDPR data breach notification requirements.
Penalties for a breach under the SHIELD Act have also increased. For example, failure to notify the attorney general of a breach went from $10 to $20 per failed notification. The maximum monetary fine jumped from $100,000 to $250,000.
Who is Bound by the NY SHIELD Act?
The SHIELD Act applies to organizations inside and outside of New York. For example, a restaurant in Brooklyn and an entrepreneur collecting emails from leads are both required to comply with the SHIELD Act. If the entrepreneur has just one lead from New York, they are legally bound by the Act.
The SHIELD Act expands on three areas of existing New York data privacy and security laws:
- Breach notification requirements. Inadvertent disclosures of private data must be reported with limited exceptions.
- The definition of “private information.” Additional data is now protected. For example, a debit card number without a PIN number is protected if the PIN number isn’t needed to cause damage.
- The definition of “breach.” Under this new law, unauthorized access is considered a breach. Previously, only unauthorized acquisition of data was considered a breach. This expansion greatly increases an organization’s data security responsibilities.
This means that if an employee falls victim to a phishing attack, it doesn’t matter if the organization can prove that no sensitive data was taken. The fact that the hacker gained unauthorized access to an account that may have enabled access to private information is enough to be considered a breach.
What Data Does the NY SHIELD Act Protect?
The NY SHIELD Act protects “private information,” which has already been defined by the state of New York. However, the SHIELD Act expands that definition.
Private information now includes data and personal information such as a person’s social security number, driver’s license number, bank account number, credit card number and biometric information along with a security code, access code, usernames and passwords and even email addresses that can be used to access an account.
Adding biometric information to the list of private information greatly expands the type of data covered by this law. For example, a machine shop that has employees clock in using a thumbprint is now bound by the SHIELD Act to protect those fingerprints.
How Can my Organization Implement a Data Security Program?
The bare minimum requirement for organizations to comply with the NY SHIELD Act is to implement a data security program. These data security requirements include putting reasonable safeguards in place to protect the data and private information of a NY resident or business.
Appropriate safeguards include:
- Reasonable physical safeguards. Physical safeguards determine risks of information storage and disposal; protect against an unauthorized person gaining access to computerized data containing private information; and respond to intrusions. It also eliminates private information by erasing electronic media so that information cannot be accessed for business purposes.
- Reasonable technical safeguards. Technical safeguards determine risks related to network and software design; information processing, transmission and storage; detect, prevent and respond to attacks or system failures and continually check and verify the effectiveness of any key controls, systems, and procedures put in place.
- Reasonable administrative safeguards. Administrative safeguards limit and appoint 1-2 employees to manage the cybersecurity program; determine both internal and external risks and how effective current safeguards are to control identified risks; train employees in the security program practices; and identify third-party services that are able to comply with your organization’s security program.
Additional critical yet reasonable safeguards include having disaster recovery and business continuity plans in place; using multi-factor authentication; updating anti-virus and malware solutions; tracking devices and equipment used by the network; and having a system in place to both retain and destroy records.
What Does Real-World Compliance Look Like?
Complying with the NY SHIELD Act will look different for every organization. For example, although health information is not included in the SHIELD Act, businesses subject to the Health Insurance Portability Act (HIPPA) must be aware of the SHIELD Act. In practice, this means that if a company suffers a data breach and is required to inform patients under the HIPPA law, it does not need to send an additional notification for the SHIELD Act. The company would still need to inform the New York state attorney general, however.
Like the GDPR regulation, the SHIELD Act provides a mandate for the end result (data protection), but each organization must achieve compliance on their own. In other words, there are no specific rules for compliance, and organizations can tailor their security strategy according to individual needs.
Some examples of compliance strategies organizations might implement include:
- Developing a strict IT security plan that bans BYOD (Bring Your Own Device) options.
- A policy that requires remote employees to log into the company network from a secure Wi-Fi network, as opposed to working from a coffee shop.
- Buying a VPN subscription for all remote employees to ensure data and browsing activity is encrypted, while still banning the use of public, unsecured Wi-Fi.
- Having a strong next generation firewall in place along with other automated security protocols that detect, isolate and analyze threats in real time.
- Training HR personnel to train all managers to follow the company’s IT security protocols.
- Mandatory employee training that includes a strict policy against sharing credentials.
- Using biometrics to grant access to physical spaces that contain private information.
- Requiring third-party vendors to uphold the company’s IT security standards to ensure all vendors are compliant with the NY SHIELD Act.
- Encrypting all company emails end-to-end and creating a policy prohibiting sending personal information through an unencrypted email.
- Implementing a plan for destroying paper and electronic documents containing protected information.
- Prohibiting company laptops and hard drives from leaving the office. For remote teams, requiring a biometric key to unlock the device.
- Implementing ongoing, automated risk assessment.
Organizations Need to Beware of Third-Party Vendor Breaches
A breach that happens to a third-party vendor is considered a breach to the organization. This was a hard lesson for Toyota to learn. Unfortunately, breaches to subsidiaries and vendors occur frequently.
It’s not enough for an organization to have their own data security protocols and protections in place if their vendors and subsidiaries aren’t using the same high standards. If any customer data passes through those third parties, and a data breach occurs, the organization will be held responsible—not the third party.
Subscribe to Our Blog
How Do You Know if Your Vendors Meet Regulatory Compliance for the NY SHIELD Act?
It is imperative for you to know if your vendors meet all relevant regulatory compliance requirements. Depending on your industry, you might be bound by several compliance regulations. For example, you could be required to comply with GDPR, HIPAA and the NY SHIELD Act. While some of the regulations overlap, others don’t.
The best way to ensure compliance is to create strict compliance contracts as part of the onboarding process with your vendors. The only way to verify compliance is through talking to your vendors and performing penetration testing.
How Panorays Can Help
You need to know if your vendors are compliant with New York State’s law, and if not, you need a game plan for helping them achieve compliance. That’s where Panorays can help.
With Panorays’ customizable Smart Questionnaires™, you can easily and quickly determine which vendors need to comply with which regulations.
Our automated platform uses a variety of techniques to determine where your vendors stand in terms of security posture. We can assess how well they protect their network and identify vulnerabilities that could cause a breach. We’ll inform you and your vendors of any vulnerabilities we find, along with suggestions of how to remediate them so your vendors will achieve compliance. Moreover, Panorays makes it easy to maintain the necessary documents for regulations like the NY SHIELD Act right on the platform.
Want to learn more? Download the CISO’s Guide to Third-Party Compliance Risk to learn how to comply with regulatory standards and mitigate third-party risk.
This post was originally published on December 14, 2020 and has been updated to include fresh content.
The NY SHIELD Act, also known as the Stop Hacks and Improve Electronic Data Security Act, requires any businesses that own or license d data, including the personal information of New York residents, to apply administrative, technical and physical safeguards to protect the security of their data. In the event of a data breach, it requires businesses to deliver a data breach notice to these residents. If the data breach affected more than 500 New York residents, the data breach must also be reported to the New York state attorney general.
The NY Shield Act protects the data of New York residents not only accessed or used by businesses in the state of New York, but located anywhere in the world. The act expands the definition of a data breach to include unauthorized access to data in addition to an unauthorized person gaining access to personal information. It also expands the definition of personal information to include additional parameters such as biometric information, account numbers and driver’s licenses.
The NY SHIELD Act requires businesses to protect the private information of New York residents with the right security measures. Private information includes any personal mark that can be used to identify a natural person such as a social security number, fingerprint, access code, security code, account number, driver’s licenses, and credit or debit card number.