On the internet, we’re all Hansel and Gretel. But the trail of breadcrumbs we leave behind when searching, posting on social media or shopping online aren’t designed to help us find our way back home. Instead, they’re designed to help the companies we interact with provide a richer, more customized and useful online experience.
But those same pieces of data — those digital breadcrumbs — are a potential treasure trove of information that cybercriminals can use to steal your identity, hack your data and thoroughly ruin your day.
While the federal government has begun to make meaningful progress in protecting Americans’ data — most recently with President Biden’s Executive Order on Improving the Nation’s Cybersecurity — states have historically been the ones to act the earliest and the strongest to safeguard their citizens’ information.
New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect in March of 2020. Here we’ll take a closer look at what it is, the safeguards it demands, and how organizations can ensure compliance.
What Is the SHIELD Act?
In short, the act requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect it.
According to New York Attorney General Letitia James, “the SHIELD Act significantly strengthens New York’s data security laws by expanding the types of private information that companies must provide consumer notice in the event of a breach, and requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
What Does the SHIELD Act Do?
It amends New York’s 2005 Information Security Breach and Notification Act, which defined a security breach as the acquisition of data. The SHIELD Act updates that definition to “any access to computerized data that compromises the confidentiality, security, or integrity of private data.”
It also expands the definition of “private information” to include not only a resident’s social security number, driver’s license number, account number, or credit or debit card number, but also biometric information, and username/email address and password credentials.
Finally, the SHIELD Act requires any organization that stores the private information of New York residents to adopt specific administrative, technical and physical safeguards.
How To Achieve SHIELD Act Compliance
Achieving SHIELD Act compliance requires an organization possess a cybersecurity program with three main elements:
- Administrative safeguards, such as designating employees to coordinate the security program, identify foreseeable external and insider risks, assess existing safeguards, implement workforce cybersecurity training, and select and manage third-party service providers capable of maintaining appropriate safeguards.
- Technical safeguards, such as risk assessments of network design, software design, and information processing; transmission and storage; implementation of measures to detect, prevent, and respond to system failures; and regular testing and monitoring of key controls.
- Physical safeguards, such as detection, prevention, and response to intrusions, as well as protection against unauthorized access to (or use of) private information during or after collection, transportation, and destruction or disposal of the information.
What Are The Consequences of Non-Compliance?
The New York State Attorney General enforces the SHIELD Act, giving it regulatory teeth. Failure to implement a compliant information security program can result in injunctive relief and civil penalties up to $5,000 for “each violation.” These penalties can be imposed against an organization as well as individual employees.
Exceptions to the SHIELD Act
Businesses already in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services (NY DFS) cybersecurity regulations (NYCRR500) are already deemed compliant with the SHIELD Act.
Also, the specific regulations required of you depend on the size of your organization. Companies with under 50 employees, less than $3M in revenue each of the last three years, or less than $5M in total year-end assets can scale their programs according to size and complexity along with the nature and sensitivity of information.
How To Get Help for SHIELD Compliance
If your organization finds itself overwhelmed by cybersecurity requirements and regulations like those in the SHIELD Act, consider partnering with a security operations solutions provider who can help you achieve and maintain compliance while proactively protecting your people, your processes and your data.
Here’s what to look for in a security operations provider:
- Supplies access to IT and security experts who can help you develop and coordinate your security program, as well as offer insight and guidance into compliance.
- Offers internal and external vulnerability assessment and management capabilities to discover, assess and remediate risk, as well as harden your overall security posture.
- Provides 24×7 monitoring of your networks, endpoints, and cloud environments to help you detect, respond, and recover from modern cyber attacks.