In a recent issue of the Central New York Business Journal iV4 Chief Technology Officer and Security subject matter expert Michael Montagliano discusses how to comply with NY SHIELD Act.
Published: December 2, 2019 in the Central New York Business Journal
On July 26 2019, New York's governor signed the "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, broadening New York's security breach notification requirements (899-AA) and requiring businesses to implement reasonable administrative, technical, and physical safeguards for the "private information" of New York residents (899-BB). The breach notification requirements took effect in October of this year with the safeguard requirements due by March 2020.
Why the SHIELD Act is Needed
The stated purpose for implementing an updated breach notification law was that it needed to “keep pace with current technology,” and If we look at the current state of technology, it is easily understood.
For the past several years, organizations have been going through a digital transformation as workloads move from on-premise onto multiple cloud platforms, including Software, Platform, and Infrastructure as a Service. Data is being transferred and dispersed, and the attack surface broadened, making containment and control of information much more challenging.
Additionally, the threat landscape has changed dramatically. Hackers are taking advantage of advanced technologies such as artificial intelligence, machine learning, and data analytics to build new capabilities such as shapeshifter malware with the ability to analyze network defenses and modify malicious code on the fly to circumvent those defenses.
Lastly, cybercrime economics is staggering with $6 trillion in global losses per year expected by 2021. For the state, the cost of a lost record is up 4.8% from 2018 to $148, and the average recovery cost from a breach stands at $3.86 million.
So the purpose of the new Shield Act is evident in the numbers.
When the SHIELD Act applies
The SHIELD Act to “ANY person or business that owns or licenses computerized data which includes a New York resident’s private information,” and not just those that conduct business within the state of New York.
The law applies to both regulated companies and unregulated companies, but “without imposing duplicate obligations on those already subject to other federal or New York State data security regulations,” meaning if you are already regulated by existing New York (DFS for example) or federal data regulations (including Gramm-Leach-Bliley Act or HIPAA), your organization should have the appropriate level of controls in place to be considered compliant with the SHIELD Act’s security requirements. Keeping in mind that controls must be applied to the additional data types delineated in the legislation.
Protected New York resident private information includes the following:
- A user name or email address in combination with a password or security question and answer that would permit access to an online account; or
- A person’s name or other information that can be used to identify a specific person, in combination with any of the following:
- Social Security number;
- Driver’s license number or non-driver identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, password, or other information which would permit access to an individual’s financial account;
- Account number, or credit or debit card number, if the number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- Biometric information, specifically data generated by electronic measurements of an individual’s unique physical characteristics, including fingerprint, voiceprint, or retina or iris image, or other unique physical representation or digital representations used to authenticate or ascertain the individual’s identity.
Defining a Breach
Prior versions of the law defined a breach as the unauthorized acquisition of private information. A breach only needed to be reported if you were confident that information was exfiltrated from the network.
Starting October 23, The SHIELD Act expanded the definition of a breach to include any unauthorized access to private or personal information. Now any unauthorized viewing of private or personal information would be considered a breach and requires notification to the Attorney General, even if there is no evidence that the data was removed.
How to comply with NY SHIELD Act
The SHIELD Act requires any person or business holding a New York resident’s private information to develop, implement, and maintain “reasonable” administrative, technical, and physical safeguards to protect and securely dispose of New York residents’ private information.
To comply with the SHIELD Act you need to:
- Regularly Train Users
- Have Visibility of Vulnerabilities
- Implement a Control Framework
- Control & Limit User Access
- Review Private Information Storage & Disposal Processes
- Develop Incident Response and Disaster Recovery Plans
Fines and Penalties
The penalties for violating the SHIELD Act are somewhat murky. The New York State Attorney General may prosecute the offending organization if it fails to implement “reasonable” administrative, technical, and physical safeguards to secure New York residents’ private or personal information.
If an organization fails to comply with the SHIELD Act’s breach notification requirements, Attorney General may impose a civil penalty of the greater of (a) $5,000 or (b) $20 per instance of failed notification with a new ceiling of $250,000, twice the previous penalty.
Ready to take action?