Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Signed into law by the NY State governor on July 25, 2019, the SHIELD Act goes into effect March 21, 2020 and amends the general business law and the state technology law in relation to notification of a security breach. The law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
The SHIELD Act requires implementation of an information security program to protect “private information” defined as:
- any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
- individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
- a username or email address in combination with a password or security question and answer that would permit access to an online account.
Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 imposed against an organization and individual employees for “each violation.”
The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
SHIELD Act Reasonable Safeguards:
“Reasonable Safeguards” are categorized as either (1) Administrative, (2) Technical, or (3) Physical. Partners in Regulatory Compliance can engage with your organization to meet the requirements in the following ways.
|SHIELD Act Requirement||Type of Safeguard||Our Service Offering(s)|
|Designate one of more employees to coordinate the security program||Administrative||N/A|
|Identify reasonably foreseeable internal & external risks and assess the sufficiency of safeguards in place to control the risks||Administrative||Risk Assessment|
|Train and manage employees in the security program practices and procedures||Administrative||Cybersecurity Awareness Training|
|Select Service Provides capable of maintaining appropriate safeguards and require those safeguards by contract||Administrative||Third Party Service Provider Management Policy|
|Assess risks in network and software design||Technical||Risk Assessment|
|Assess risks in information procession, transmission and storage||Technical||Risk Assessment|
|Detects, Prevents and Responds to attacks or system failures||Technical||Managed IT Services*|
Firewall, IDS, IPS*
Anti-Virus / Anti Malware*
|Regularly tests and monitors the effectiveness of key controls||Technical||Vulnerability Assessment|
|Protects against unauthorized access to or use of private information||Physical||Access Control*|