Shield Act Compliance Requirements


Stop Hacks and Improve Electronic Data Security (SHIELD ACT)

In March 2020, the Shield Act went into effect, which requires businesses to protect New York residents’ personal and private data.

We’ve unpacked the compliance requirements in an easy-to-understand guide below.

New Cyber Security Law Requires Data Privacy

Administrative Safeguards

Develop a cybersecurity awareness program led by a designated employee to manage vendors, employees, and compliance with the Shield Act.

Technical Safeguards

A business must perform security assessments and test the technical security defenses are working properly to detect, prevent and respond to cyber-attacks.

Physical Safeguards

Businesses must identify and comply with a process to securely store and dispose of protected information. This includes data after it is no longer needed for business purposes.

Stop Hacks and Improve Electronic Data Act Defined

Who Does the Shield Act Apply to?

All Businesses Must Comply:

The Shield Act was designed to ensure data protections are in place for unregulated businesses and businesses, which another governing agency does not require to implement a cybersecurity program. So, all businesses must comply with the law, apart from a few exceptions, which include:

  • Businesses with less than 50 employees
  • Business or an individual with less than $3M annual revenue in the last three years or less than $5M in total year-end assets

There is one alternative to compliance—if a business must comply with another New York State or Federal Cyber Security Regulatory Agency, they are considered compliant with the Shield Act. A number of regulatory agencies obligate businesses and organizations to implement a cybersecurity program to protect consumer data, such as HIPAA, HITECH, GLBA, and the Department of Financial Services 23 NYSCRR 500, to name a few.

Businesses Domiciled Outside of New York State Must Comply:

The Shield Act applies to the data and privacy of New York’s residents. This means that any business, including businesses outside of New York State, must follow the Shield Act security, privacy, and breach notification requirements for consumers who reside in New York State.

What is Considered Private Information?

The definition of “Private Information” is redefined and includes much more information under the Shield Act. Let’s face it; malicious hackers have access to leaked passwords, social media, and other publicly available information at their fingertips. When this information is coupled with even the smallest piece of “Private Information,” it is much easier to gain credentials and access networks, applications, and potentially gobs of other private information.

The description of Private Information is considered:

  • An unencrypted piece of personal information or an encryption key
  • Social security number;
  • Driver’s license number or non-driver identification card number;
  • Account number, credit or debit card number, in combination with a security code or access code
  • Password or other information used to access an individual’s financial account;
  • Account number, or credit or debit card number, if it can be used to access an individual’s financial account without additional identifying information,
  • Security code, access code, or password; or
  • Biometric data including fingerprint, voice print, or retina or iris image, or other unique physical identify features
  • A username or e-mail address in combination with a password or security question and answer

This list of private information is greatly expanded from previous versions of business laws in NYS.

Fines & Breach Notification Guidelines

This is a lot of data to protect, and the key difference between the NYS Shield Act and many other “privacy laws” is this law is clear about the financial penalties a business will pay if a data breach occurs. The law also directs the business to notify the NYS Attorney General, the consumer, and in some cases, the credit bureau must be notified in the event of unauthorized disclosure of private information.

Here is a summary of the breach notification guidelines:

  • If any resident of New York’s private information was believed to have been accessed or acquired by a person without valid authorization, the business must
  • Notify the people impacted.
  • Notification must include a description of information believed to be accessed and provide the telephone numbers and websites of state and federal agencies that provide resources and assistance with identity theft.
  • When New Yorkers are notified, the business must also notify:
  • New York State Attorney General
  • Department of State
  • The State Office of Information Technology
  • When more than 5000 New York Residents are notified, the business must also notify consumer reporting agencies.

All breach notifications must be made without delay; however, the disclosure should remain consistent with law enforcement and information technology incident response and recovery plans.

New York State lawmakers are serious about requiring businesses to protect the personal and private information it stores, holds, and licenses. The fines for non-compliance are $20 per instance of failed notification ($5k up to $250k) plus civil penalties.

Zelvin Tip

At Zelvin Security, we recommend that businesses appoint one central leader responsible for bringing a cross-section of leaders from each department together to form a cybersecurity task force. Then, the team can use their collective influence to implement a privacy and security conscience program.

What Does the Shield Act Require?

Implementing a data security program under the “Stop Hacks and Improve Electronic Data Security” Act requires a business to apply reasonable security safeguards using administrative, technical and physical security controls. Each control must be in step to realistically and practically protect the data privacy as the business changes and new circumstances arise. Let’s discuss each safeguard in detail.

Administrative Safeguards:

Under the Shield Act, each business must designate one or more employees to coordinate the security program. The responsibility of the security program requires businesses to manage and provide a cybersecurity awareness program for employees. It is also responsible for ensuring that vendors and service providers are held to security standards by contract, protecting New York residents’ security and privacy. Some businesses will require each service provider to show proof of compliance with the Shield Act, while other businesses may decide to use SOC II or HITRUST as a benchmark for security safeguards. Regardless of the measurement tool, supply-chain attacks are on the rise, and businesses must hold their service providers and vendors accountable for high privacy and security standards.

Technical Safeguards:

How does a business ensure technical safeguards, such as network configurations, patching processes, firewalls, and access controls, are working properly? It’s simple. Test it. Proactive security testing to assess the technical defenses is a central requirement of the Shield Act. This includes assessing and testing the design of the network and software and ensuring technical security protections are working properly to protect data at rest, in storage, and during transmission from one party to another.

For more than two decades, Zelvin Security has been a trusted leader in providing independent security assessments to test the technical cyber-security protections of banks, manufacturers, insurance, lending, retail businesses, and so much more. Performing a penetration test or a vulnerability assessment to measure cyber-risks on a network or web application requires the specialized skills and experiences of an Ethical Hacker (aka Penetration Tester).

Effective & Efficient

Every day we work with large and small businesses using proprietary methodologies to perform security testing. We identify and prioritize security weaknesses found in networks and applications; then, we offer the most practical, cost-effect mitigation solutions. Our security team is prepared to help businesses and organizations comply with the Shield Act by performing regular tests to measure “the effectiveness of key controls, systems, and procedures.”

Besides regular security assessments, under the Shield Act requirements, businesses are now required to “detect, prevent and respond to attacks.” In today’s threat landscape, all businesses, even very small entities, are a target for malicious hackers. Policymakers in Albany realize this fact, which is why detecting a cyber-attack and monitoring key controls’ effectiveness is a requirement of the Shield Act. Recently, Zelvin Security began providing real-time monitoring services in response to client needs.

An intrusion detection service is typically powered by artificial intelligence to provide a real-time solution to threat hunting. Plus, this type of monitoring solution allows the business to focus on its job…the business, while the monitoring software focuses on threats.

Physical Safeguards

The Shield Act identifies the process businesses must use to store and dispose of information. Naturally, businesses must assess the risks associated with unauthorized physical access to private information, including protecting the information during storage and disposal of the data.

We recommend that all businesses maintain a chain of custody log to prevent physical file loss during transit. Further, according to the new Shield Act requirements, data must be “disposed of within a reasonable amount of time after it is no longer needed for business purposes.” Some businesses hold onto unnecessary private information, and when turnover occurs changes and businesses move locations, the physical safeguards of the data could become compromised unless there is a data destruction policy.

Zelvin Tip

NYS Shield Act imposes strict data privacy requirements on businesses, including performing regular security assessments to test the technical security safeguard defenses. At Zelvin Security, we are here to assist you. If you have questions, please reach out to one of our cybersecurity experts to learn more. Call (607) 758-9427.

Cyber Security is an Ongoing Strategy

All in all, the Shield Act is a robust, proactive cybersecurity law, and now, as of March 21, 2020, it is effective in New York State. Data privacy and proactive security practices are well defined, and business owners are no longer left to decide on their own if cybersecurity is a business focus.

Most IT Security people modify RW Emerson’s quote and say, “Security is a journey and not a destination.” At Zelvin Security, we like to say, “We are never done getting better.” This certainly applies to the “Stop Hacks and Improve Electronic Data Security” Act.

Businesses will implement the requirements and make ongoing administrative, technical, and physical security safeguards to protect their business’s cybersecurity. The cybersecurity experts at Zelvin Security are here to assist businesses in complying with the testing and technical security requirements of the SHIELD Act. Call us today if you would like to learn more about vulnerability testing, penetration testing, web application testing, monitoring services, security training, and proactive security best practices.

Article Name NYS Shield Act Compliance

Description Beginning in March 2020, businesses must protect consumer and employee data privacy under the New York State Shield Act. Learn the cybersecurity safeguards and the security controls to protect data and comply with the “Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Zelvin Security unpacks the law in an easy-to-understand article here.

Author Zelvin Security

Identify the Vulnerabilities Now

Posted in
Zelvin Security

Zelvin Security