In partnership with Harris Beach and Caetra.io we hosted a webinar on the NY SHIELD Act and covered what businesses will need to do by March 23, 2020 to comply.
For many organizations, New York’s newly passed SHIELD Act is the first legal obligation to implement security protections.
Any business that maintains private information of New York state residents is now required to report the unauthorized access or viewing of personal information to the NY Attorney General. By March 2020, the SHIELD Act requires that a comprehensive security program be in place, or risk penalties.
Why another regulation?
The purpose states, “New York’s data breach notification law needs to be updated to keep pace with current technology”.
If you look at the state of technology today, organizations are going through a digital transformation moving workloads to the cloud and storing data in more places than ever before. Plus, the threat landscape continues to evolve, and attackers are getting smarter and using new methods.
October 2019 Requirements
One deadline has already passed in October 2019 which expanded the definition of protected data to include personal information:
- Biometric information: fingerprint, retina or iris image, any other unique physical or digital representation
- Financial information in combination with other information (ex. mother's maiden name) to potentially allow access
- Username and password
Expanded definition of what a breach is
Under prior versions of the law, a breach was considered the unauthorized acquisition of private information. The SHIELD Act now expands the definition of a breach to include any unauthorized access to private and/or personal information.
Meaning, any unauthorized viewing of private and/or personal information would be considered a breach and need to be reported to the Attorney General, even if there is no evidence that the data was extracted.
Increased fines for violations
If you’re thinking, I’ll just pay the fines. The new ceiling is $250,000 or $20 per record. That cost doesn’t include what you’ll pay to remediate and recover data. Ultimately, if you don’t implement the requirements, the Attorney General can shut your business down.
March 23, 2020 Requirements
The biggest impact of the SHIELD Act are the new security obligations required to protect private information. Take the time to determine what you already have that meets SHIELD standards and identify where the gaps are.
If regulatory requirements are new for you, then this is a great opportunity to evaluate your current security program and align it with some basic standards.
“All of our clients do some sort of security, but they don’t document it. They don’t have controls in place that make sure things are happening the way they intend to. The law presumes that there are key controls in place. If you don’t have them, you need to start creating them.” -Alan Winchester
To summarize the 14 security requirements that must be in place by March 23, 2020 under SHIELD:
- Appoint or outsource a CISO with power and commensurate responsibility and accountability
- Implement a security program with policies, controls, and standards that support the technical, administrative, and physical safeguards required by the law
- Assess the program to see if it addresses foreseeable risks
- Develop and document an Incident Response Plan
- Train employees on security best practices
- Manage cloud providers and implement contract changes to require your security program
- Document the effectiveness of the program to avoid the now sizable fines
This is only a few of the topics and insights covered in the session. There is so much more to learn about the SHIELD Act!
Download the slide deck and watch our webinar now on-demand!
Ready to take action?