Stop Hacks and Improve Electronic Data Security (SHIELD ACT)
In March 2020, the Shield Act went into effect, which requires businesses to protect personal and private data of New York residents.
We've unpacked the compliance requirements in an easy-to-understand guide below.
New Cyber Security Law Requires Data Privacy
Stop Hacks and Improve Electronic Data Act Defined
Who Does the Shield Act Apply to?
All Businesses Must Comply: The Shield Act was designed to ensure data protections are in place for unregulated businesses and businesses which are not required by another governing agency to implement a cyber security program. So, in other words, all businesses must comply with the law, apart from a few exceptions, which include:
- Businesses with less than 50 employees
- Business or an individual with less than $3M annual revenue in the last three years or less than $5M in year-end total assets
There is one alternative to compliance—if a business must comply with another New York State or Federal Cyber Security Regulatory Agency they are considered compliant with the Shield Act. There are a number of regulatory agencies obligating businesses and organizations to implement a cyber security program to protect consumer data such as HIPAA, HITECH, GLBA, and the Department of Financial Services 23 NYSCRR 500, to name a few.
Businesses Domiciled Outside of New York State Must Comply: The Shield Act applies to the data and privacy of New York’s residents. This means that any business, including businesses outside of New York State must follow the Shield Act security, privacy and breach notification requirements for consumers who reside in New York State.
What is Considered Private Information?
The definition of “Private Information” is redefined and includes much more information under the Shield Act. Let’s face it, malicious hackers have access to leaked passwords, social media, and other publicly available information at their fingertips. When this information is coupled with even the smallest piece of “Private Information” it is much easier to gain credentials, gain access to networks, applications, and potentially gobs of other private information.
The description of Private Information is considered:
- An unencrypted piece of personal information or an encryption key
- social security number;
- driver's license number or non-driver identification card number;
- account number, credit or debit card number, in combination with a security code or access code
- password or other information used to access an individual's financial account;
- account number, or credit or debit card number, if it can be used to access an individual's financial account without additional identifying information,
- security code, access code, or password; or
- biometric data including fingerprint, voice print, or retina or iris image, or other unique physical identify features
- a username or e-mail address in combination with a password or security question and answer
This list of private information is greatly expanded from previous versions of business laws in NYS.
Fines and Breach Notification Guidelines
This is a lot of data to protect, and the key difference between the NYS Shield Act and many other “privacy laws” is this law is clear about the financial penalties a business will pay if a data breach occurs. The law also directs the business to notify the NYS Attorney General, the consumer, and in some cases the credit bureau must be notified, in the event of unauthorized disclosure of private information.
Here is a summary of the breach notification guidelines:
- If any resident of New York’s private information was believed to have been accessed or acquired by a person without valid authorization the business must
- Notify the people impacted.
- Notification must include a description of information believed to be accessed and provide the telephone numbers and websites of state and federal agencies that provide resources and assistance with identify theft.
- When New Yorkers are notified the business must also notify:
- New York State Attorney General
- Department of State
- The State Office of Information Technology
- When more than 5000 New York Residents are notified the business must also notify consumer reporting agencies.
- Notify the people impacted.
All breach notifications must be made without delay; however, the disclosure should remain consistent with law enforcement and information technology incident response and recovery plans.
New York State law makers are serious about requiring businesses to protect the personal and private information it stores, holds, and licenses. The fines for non-compliance have already been determined and are imposed as $20 per instance of failed notification ($5k up to $250k) plus civil penalties.
What Does the Shield Act Require?
Implementing a data security program under the “Stop Hacks and Improve Electronic Data Security” Act requires a business to apply reasonable security safeguards using administrative, technical and physical security controls. Each control must be in step to realistically and practically protect the data privacy as the business changes and new circumstances arise. Let’s discuss each safeguard in detail.
Administrative Safeguards: Under the Shield Act, each business must designate one or more employees to coordinate the security program. The responsibility of the security program requires businesses to manage and provide a cyber security awareness program for employees. It is also responsible for ensuring that vendors and service providers are held to security standards, by contract, which also protect the security and privacy of New York residents. Some businesses will require each service provider to show proof of compliance with the Shield Act, while other businesses may decide to use SOC II, or HITRUST as a benchmark for security safeguards. Regardless of the measurement tool, supply-chain attacks are on the rise, and businesses must hold their service providers and vendors accountable for high standards in privacy and security.
Technical Safeguards: How does a business ensure technical safeguards, such as network configurations, patching processes, firewalls, and access controls are working properly? Its simple. Test it. Proactive security testing to assess the technical defenses is a central requirement of the Shield Act. This includes assessing and testing the design of the network and software, as well as ensuring technical security protections are working properly to protect data at rest, in storage, and during transmission from one party to another.
For more than two decades, Zelvin Security has been a trusted leader in providing independent security assessments to test the technical cyber-security protections of banks, manufacturers, insurance, lending, retail businesses and so much more. Performing a penetration test or a vulnerability assessment to measure cyber-risks on a network or web-application requires the specialized skills and experiences of an Ethical Hacker (aka Penetration Tester). Every day we work with large and small businesses using proprietary methodologies to perform security testing. We identify and prioritize security weaknesses found in networks and applications, then, we offer the most practical, cost-effect mitigation solutions. Our security team is prepared to help businesses and organizations comply with the Shield Act by performing regular tests to measure “the effectiveness of key controls, systems and procedures.”
In addition, to regular security assessments, under the Shield Act requirements, businesses are now required to “detect, prevent and respond to attacks.” In today’s threat landscape, all businesses, even very small entities, are a target for malicious hackers. Policy makers in Albany realize this fact, which is why detecting a cyber-attack and monitoring the effectiveness of key controls is a requirement of the Shield Act. Recently, Zelvin Security began providing real-time monitoring services in response to client needs.
An intrusion detection service is typically powered by artificial intelligence to provide a real-time solution to threat hunting. Plus, this type of monitoring solution allows the business to focus on its job…the business, while the monitoring software focuses on threats.
Physical Safeguards: The Shield Act clearly identifies the process businesses must use to store and dispose of information. Naturally, businesses must assess the risks associated with the unauthorized physical access to private information, which also includes protecting the information during storage and disposal of the data. Zelvin Security recommends that all businesses maintain a chain of custody log to prevent the loss of physical files during transit. Further, all according to the new Shield Act requirements, data must be “disposed of within a reasonable amount of time after it is no longer needed for business purposes.” Some businesses hold onto unnecessary private information and when turnover occurs changes and businesses move locations, the physical safeguards of the data could become compromised unless there is a data destruction policy.
Cyber Security is an Ongoing Strategy
All in all, the Shield Act is a robust proactive cyber security law, and now, as of March 21, 2020, it is effective in New York State. Data privacy and proactive security practices are well defined, and business owners are no longer left to decide on their own if cyber security is a business focus. Most people in IT Security modify RW Emerson’s quote and say, “Security is a journey and not a destination.” At Zelvin Security, we like to say, “We are never done getting better.” This certainly applies to the “Stop Hacks and Improve Electronic Data Security” Act. Businesses will implement the requirements, and make ongoing administrative, technical and physical security safeguards to protect the cyber security of its business. The cyber security experts at Zelvin Security are here to assist businesses comply with the testing and technical security requirements of the SHIELD Act. Call us today if you would like to learn more about vulnerability testing, penetration testing, web application testing, monitoring services, security training and proactive security best practices.