The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to protect the personal data of all New York residents. This act broadens the data privacy and protection standards stipulated in the Gramm-Leach-Bliley Act (GLBA) and the New York Department of Financial Services (NYDFS).
What makes this particular data protection law unique is its inclusion of biometric information, usernames, and passwords in the category of personal information. This updated definition, alongside stricter data breach notification requirements, aligns the NY SHIELD act with a growing number of regulations handling data privacy power back to the consumer, including the GDPR, CCPA, and HIPAA.
Compliance with the New York SHIELD Act is expected of every business collecting personal data from a New York resident - regardless of whether the entire collecting data is located in New York State. This includes third-party service providers, which means your Third-Party Risk Management program should be adjusted to address the information security standards of the NY SHIELD Act.
To learn how to comply with all of the third-party risk management requirements of the SHIELD Act, read on.
Checklist: Third-Party Risk Compliance and the NY SHIELD ACT
Addressing all items in this list could help your business comply with the third-party risk management mandates outlined in the NY SHIELD Act. Some items in the list below also include suggested security control for information processing compliance.
1. Train Employees for a Compliance Data Security Program
The SHIELD Act’s expansion of the definition of a data breach has a significant impact on the day-to-day activities of employees, especially remote staff heavily reliant upon email communications.
An organization heavily dependent upon internal email communication is at an even greater risk of a security breach under this expanded definition. Threat actors start most of their cyberattack campaigns with a phishing email - a fraudulent email designed to steal internal credentials to gain unauthorized access to a corporate network.
After network credentials have been divulged through a phishing email, hackers could easily gain access to the complete scope of sensitive customer data within the NY SHIELD Act’s expanded definition, including:
- Social security numbers.
- Driver’s license numbers.
- Financial account details.
- Biometric information.
- Customer online account information.
- Private information of New York residents.
- Account numbers.
- Debit card numbers.
Such security incidents can be avoided by including employee security training in your cybersecurity program.
2. Include NY SHIELD Act Data Breach Notification Protocols in your Incident Response Plan
Any regulation enforcing personal information security is expected to include breach notification laws for altering individuals impacted by a security event. Following a data breach, the NY SHIELD Act expects businesses to alert the following parties as quickly as possible:
- Impacted individuals.
- Attorney General’s office.
- The New York Department of State.
- The New York State police.
The last three entities are automatically notified after submitting a data breach report through the NYAG Data breach portal.
Your Incident Response Plan should clearly outline a protocol for submitting security events to this portal.
Data breaches involving more than 5,000 New York residents must also be reported to a nationwide consumer reporting agency. The agencies recommended by the New York Attorney General are listed below:
Data Breach Notification Exemptions
The NY SHIELD Act exempts its breach notification rule for accidental personal data exposures unlikely to result in misuse or compromise. An example of such an event is an employee accidentally sending an email with a customer’s social security number to an incorrect email address instead of the accounting department.
A data breach notification exemption would only be applicable in this instance if:
- The employee instantly notifies their employer of the event.
- The employer documents the incident alongside a plausible reason why the exposure is unlikely to result in misuse or financial harm to impacted individuals.
- The documented incident is maintained for at least five years.
However, if the incident resulted in the exposure of private information pertaining to at least 500 New York residents, the documented incident must be submitted by the employer to the state attorney general within ten days of the event.
3. Implement Reasonable Administrative Safeguards
The NY SHIELD Act outlines a list of requirements for reasonable safeguards in the administration category. Each provision is listed below alongside suggested responses to achieve Shield Act compliance in this area:
The designation of at least one employee to coordinate a security program.
This designation should be officially outlined across all response plans and internal HR records. It also helps to highlight all relevant points of contact in security software access control descriptions.
Identify reasonably foreseeable internal and external risks.
Such clairvoyance is best achieved with an attack surface monitoring solution capable of discovering security risks and vulnerabilities, both internally and across the vendor network.
Assesses the sufficiency of safeguards in place to control the identified risks.
Penetration tests, internal risk assessments, and security ratings, when combined, offer an objective evaluation of a business’s state of security and potential systems failures linked to a cybersecurity program.
Select service providers capable of maintaining appropriate safeguards and requires those safeguards by contract.
Evaluate the level of residual risks associated with each potential vendor with a combination of security questionnaires and security ratings. These data security requirements impact all entities processing New York resident data, including small businesses.
4. Implement Reasonable Technical Safeguards
The NY SHIELD Act outlines a series of reasonable technical safeguards that must be met to achieve compliance. Each requirement is listed below alongside suggested responses to achieve Shield Act compliance in this category.
- Assess risks in network and software design
- Assess risks in information processing, transmission, and storage.
An attack surface monitoring solution can rapidly detect security vulnerabilities caused by faulty software design, such as misconfigurations and network security risks.
Rapidly Detect, prevent, and respond to attacks or system failures.
All implemented vulnerability detection programs should be supported with a remediation strategy for rapidly addressing all verified risks. Ideally, the most critical security risks should be identified and prioritized.
Regularly test and monitor the effectiveness of key controls, systems, and procedures.
A security rating solution that assesses risks based on multiple critical attack vectors can continuously monitor the effectiveness of remediation efforts and potentially new security risks.
Regular penetration tests performed by an independent body will offer an objective evaluation of the resilience of all implemented security controls.
5. Implement Reasonable Physical Safeguards
Each physical safeguard requirement of the NY SHIELD Act is listed below alongside suggested responses to achieve Shield Act compliance in this category.
Assess risks of information storage and disposal.
Security risks associated with information storage and disposal processes can be detected with attack surface monitoring software and penetration testing. The evaluation method becomes much simpler if data storage best practices are followed.
- Detect, prevent, and responds to intrusions;
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information.
These two physical safeguard requirements can be addressed by implementing a security framework dependent upon exemplary user access security, such as the Zero-Trust framework.