The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), or Senate Bill 5575, was enacted on July 25, 2019, as an amendment to the New York State Information Security Breach and Notification Act. The law goes into effect on March 21, 2020.
The motivation behind the SHIELD Act is to update New York's data breach notification law to keep pace with current technology. The bill broadens the scope of information covered under the notification law and updates breach notification requirements when there has been a breach of data.
It also broadens the definition of a data breach to include an unauthorized person gaining access to private information and requires organizations to employ reasonable data security.
Critically, this includes the designation of a person to oversee the processes of Vendor Risk Managementnd to conduct due diligence on the data security measures of third-party vendors and service providers. To help with adherence, the SHIELD Act provides standards tailored to the size of a business and protections from liability for certain entities.
In short, the SHIELD Act imposes stronger obligations on businesses handling personal and private information to mitigate threats that contribute to identity theft, such as data breaches and data leaks.
Why is the SHIELD Act Important?
The SHIELD ACT is important because it has "extraterritorial application," which means it covers all employers, individuals, or organizations that collect private information on New York residents, regardless of location.
Previously, data breach notification requirements were limited to those that conduct business in New York. Other examples of extraterritorial data protection laws include the California Consumer Privacy Act (CCPA), the EU's General Data Protection Regulation (GDPR), and The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD).
The other important part is the mandatory implementation of a data security program with specific safeguards such as risk assessments, workforce training, incident response planning, and testing, as well as the increased scope of a security breach, such as any viewing of private information that could trigger a reporting requirement.
The law aligns the State of New York with other states such as California, Rhode Island, and Massachusetts.
How Has the SHIELD Act Changed Data Breach Notification Requirements?
The SHIELD Act amends New York's existing breach notification law and broadens notification requirements, requiring notification if compromised data is:
- Computerized data containing private information of a New York resident
- Reasonably believed to have been accessed or acquired by a person without valid authorization
The SHIELD Act has substantially expanded the definition of private information to now include-in addition to social security numbers, driver's license numbers, credit or debit card numbers, or financial account numbers-to include biometric information, email addresses, and corresponding passwords or security questions and answers and financial account numbers without a required security code if an unauthorized person could access the account.
Additionally, the definition of a data breach has been broadened to include authorized access rather than solely unauthorized acquisition. That said, the law does discern between unauthorized access in good faith.
A breach in security does not include "good faith access to, acquisition of private information by an employee or agent of the business" as long as the data is not used or subject to unauthorized disclosure. Nor is notification required where disclosure was inadvertent by persons with authorized access, and the business reasonably determines the disclosure will not result in misuse of such information or financial or emotional harm.
Nor does the SHIELD Act impose specific time constraints on data breach notification, unlike other data protection laws like GDPR, instead opting for notification "in the most expedient time possible and without unreasonable delay."
The exemption to this is covered entities who must provide notification of a breach, including breach of information (like protected health information) that is not private information to the secretary of health and human services as defined in HIPAA/HITECH, who must then provide the notification to the state attorney general within five business days of notifying the secretary.
Who Must Comply With the SHIELD Act?
The SHIELD Act broadly requires that "any person or business" that owns or licenses computerized data, which includes private information of a New York resident, "shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but limited to, the disposal of the data."
That said, entities with a data security program compliant under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and/or the New York State Department of Financial Services Cybersecurity Regulation are exempt as these laws are deemed in compliance with the SHIELD Act.
The other exemption is for small businesses that must scale their data security requirements according to their size and complexity, the nature and scope of business activities, and the nature and sensitivity of the information collection.
The SHIELD Act defines a small business as any person or business that meets one of the following criteria:
- Less than fifty employees
- Less than three million dollars in gross annual revenue in each of the last three fiscal years
- Less than five million dollars in year-end total assets, calculated following generally accepted accounting principles (GAAP)
How to Comply With the SHIELD Act
The SHIELD Act requires organizations must implement a data security program that includes at least the following:
- Reasonable administrative safeguards: such as designating one or more employees to coordinate the security program; identifying foreseeable internal and external risks; assessing the sufficiency of safeguards in place to control the identified risks; training and managing employees in the security program practices and procedures; select service providers capable of maintaining appropriate safeguards and requires those safeguards by contract, and adjusts the security program in light of business changes or new circumstances
- Reasonable technical safeguards: Assesses cybersecurity risk in network and software design; assesses risks in information processing, transmission, and storage; detects, prevents, and responds to cyber attacks or system failures; and regularly tests the effectiveness of key controls, systems and procedures
- Reasonable physical safeguards: Assesses risks of information storage and disposal; detects, prevents, and responds to intrusions; protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal; and disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Learn how to comply with the third-party risk requirements of the SHIELD Act.
What are the Penalties For Not Complying With the SHIELD Act?
Failure to implement a compliant information security program is enforced by the New York State Attorney General and can result in injunctive relief and civil penalties of up to $5,000 per violation.
Businesses that fail to comply with the breach notification requirements can be held liable for the "actual costs or losses incurred by a person entitled to notice.” In addition, if the business violates the provision "knowingly or recklessly,” a civil penalty of the greater of $5,000 or $20 per instance of failed notification, up to a maximum of $250,000.
How is Personal Information Defined in the SHIELD Act?
The SHIELD Act defines personal information as any information concerning a natural person which, because of name, number, personal mark, or identifier, can be used to identify them.
How is Private Information Defined in the SHIELD Act?
The SHIELD Act defines private information as:
- Any personally identifiable information (PII) such as name, number, or other identifier coupled with a social security number, driver's license number or non-driver identification card number, account number, credit card or debit card number in combination with any security code, access code, password or other information that would permit access to the individual's financial account, or account number, credit card or debit card number if the individual's financial account can be accessed without additional information
- Biometric information such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data is used to authenticate or ascertain an individual's identity
- A username or email with a password or security question and answer would permit access to an online account.
Meeting the Third-Party Risk Requirements of The NY SHIELD Act
Compliance with the New York SHIELD Act is expected of every business collecting personal data from a New York resident - regardless of whether the entire collecting data is located in New York State. This includes third-party service providers, which means your Third-Party Risk Management program should be adjusted to address the information security standards of the NY SHIELD Act.
Addressing all items in this list could help your business comply with the third-party risk management mandates outlined in the NY SHIELD Act. Some items in the list below also include suggested security control for information processing compliance.
1. Train Employees for a Compliance Data Security Program
The SHIELD Act’s expansion of the definition of a data breach has a significant impact on the day-to-day activities of employees, especially remote staff heavily reliant upon email communications.
An organization heavily dependent upon internal email communication is at an even greater risk of a security breach under this expanded definition. Threat actors start most of their cyberattack campaigns with a phishing email - a fraudulent email designed to steal internal credentials to gain unauthorized access to a corporate network.
After network credentials have been divulged through a phishing email, hackers could easily gain access to the complete scope of sensitive customer data within the NY SHIELD Act’s expanded definition, including:
- Social security numbers.
- Driver’s license numbers.
- Financial account details.
- Biometric information.
- Customer online account information.
- Private information of New York residents.
- Account numbers.
- Debit card numbers.
Such security incidents can be avoided by including employee security training in your cybersecurity program.
Learn about the top Third-Party Risk Management solutions on the market >
2. Include NY SHIELD Act Data Breach Notification Protocols in your Incident Response Plan
Any regulation enforcing personal information security is expected to include breach notification laws for altering individuals impacted by a security event. Following a data breach, the NY SHIELD Act expects businesses to alert the following parties as quickly as possible:
- Impacted individuals.
- Attorney General’s office.
- The New York Department of State.
- The New York State police.
The last three entities are automatically notified after submitting a data breach report through the NYAG Data breach portal.
Your Incident Response Plan should clearly outline a protocol for submitting security events to this portal.
Learn how to create a cybersecurity incident response plan.
Data breaches involving more than 5,000 New York residents must also be reported to a nationwide consumer reporting agency. The agencies recommended by the New York Attorney General are listed below:
Data Breach Notification Exemptions
The NY SHIELD Act exempts its breach notification rule for accidental personal data exposures unlikely to result in misuse or compromise. An example of such an event is an employee accidentally sending an email with a customer’s social security number to an incorrect email address instead of the accounting department.
A data breach notification exemption would only be applicable in this instance if:
- The employee instantly notifies their employer of the event.
- The employer documents the incident alongside a plausible reason why the exposure is unlikely to result in misuse or financial harm to impacted individuals.
- The documented incident is maintained for at least five years.
However, if the incident resulted in the exposure of private information pertaining to at least 500 New York residents, the documented incident must be submitted by the employer to the state attorney general within ten days of the event.
Click here to report data breaches to the Office of the Attorney General.
3. Implement Reasonable Administrative Safeguards
The NY SHIELD Act outlines a list of requirements for reasonable safeguards in the administration category. Each provision is listed below alongside suggested responses to achieve Shield Act compliance in this area:
The designation of at least one employee to coordinate a security program.
This designation should be officially outlined across all response plans and internal HR records. It also helps to highlight all relevant points of contact in security software access control descriptions.
Identify reasonably foreseeable internal and external risks.
Such clairvoyance is best achieved with an attack surface monitoring solution capable of discovering security risks and vulnerabilities, both internally and across the vendor network.
Learn more about UpGuard’s attack surface monitoring capabilities.
Assesses the sufficiency of safeguards in place to control the identified risks.
Penetration tests, internal risk assessments, and security ratings, when combined, offer an objective evaluation of a business’s state of security and potential systems failures linked to a cybersecurity program.
Select service providers capable of maintaining appropriate safeguards and requires those safeguards by contract.
Evaluate the level of residual risks associated with each potential vendor with a combination of security questionnaires and security ratings. These data security requirements impact all entities processing New York resident data, including small businesses.
Learn how to evaluate your risk appetite.
4. Implement Reasonable Technical Safeguards
The NY SHIELD Act outlines a series of reasonable technical safeguards that must be met to achieve compliance. Each requirement is listed below alongside suggested responses to achieve Shield Act compliance in this category.
- Assess risks in network and software design.
- Assess risks in information processing, transmission, and storage.
An attack surface monitoring solution can rapidly detect security vulnerabilities caused by faulty software design, such as misconfigurations and network security risks.
Rapidly Detect, prevent, and respond to attacks or system failures.
All implemented vulnerability detection programs should be supported with a remediation strategy for rapidly addressing all verified risks. Ideally, the most critical security risks should be identified and prioritized.
Learn how to design an efficient risk remediation plan.
Regularly test and monitor the effectiveness of key controls, systems, and procedures.
A security rating solution that assesses risks based on multiple critical attack vectors can continuously monitor the effectiveness of remediation efforts and potentially new security risks.
Regular penetration tests performed by an independent body will offer an objective evaluation of the resilience of all implemented security controls.
Learn more about security ratings.
5. Implement Reasonable Physical Safeguards
Each physical safeguard requirement of the NY SHIELD Act is listed below alongside suggested responses to achieve Shield Act compliance in this category.
Assess risks of information storage and disposal.
Security risks associated with information storage and disposal processes can be detected with attack surface monitoring software and penetration testing. The evaluation method becomes much simpler if data storage best practices are followed.
Seven ways to secure sensitive data on a USB flash drive.
- Detect, prevent, and responds to intrusions;
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information.
These two physical safeguard requirements can be addressed by implementing a security framework dependent upon exemplary user access security, such as the Zero-Trust framework.
.png){kind=avatar}
