Skip to main content

New York State’s SHIELD Law: Is Your Business Ready?

New York is the most recent state to pass legislation requiring businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect it. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law in July and went into effect on March 21, 2020. 

As stated, SHIELD applies to “any person or business” that owns or licenses computerized data with private information on a New York State resident.

There is existing legislation in California, Massachusetts, and Colorado that establishes cybersecurity standards around data protection. SHIELD requires that organizations implement a data security program that includes risk assessments, workforce training, and incident response planning and testing. But businesses already in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services (NY DFS) cybersecurity regulations (NYCRR500) are already deemed compliant with the SHIELD Act.

The specific regulations depend on the size of your organization. Smaller ones (under 50 employees, less than $3M in revenue each of the last three years, or less than $5M in total year-end assets) can scale their programs according to size and complexity along with the nature and sensitivity of information. 

Achieving SHIELD compliance requires a cybersecurity program with three main elements:

  1. Administrative safeguards, such as designating employees to coordinate the security program, identify foreseeable external and insider risks, assess existing safeguards, implement workforce cybersecurity training, and select and manage third-party service providers capable of maintaining appropriate safeguards.
  2. Technical safeguards, such as risk assessments of network design, software design, and information processing; transmission and storage; implementation of measures to detect, prevent, and respond to system failures; and regular testing and monitoring of key controls
  3. Physical safeguards, such as detection, prevention, and response to intrusions, as well as protection against unauthorized access to (or use of) private information during or after collection, transportation, and destruction or disposal of the information.

The New York State Attorney General enforces the SHIELD law, giving it regulatory teeth. Failure to implement a compliant information security program can result in injunctive relief and civil penalties up to $5,000 for “each violation” may be imposed against an organization and individual employees.

How Arctic Wolf Can Help Get You Ready for SHIELD Law

Multiple violations can have serious consequences to a business’s bottom line. However, that often pales in comparison to the reputational damage caused by notorious news headlines.

If your organization finds itself overwhelmed by cybersecurity challenges and regulations like SHIELD, don’t worry. Arctic Wolf helps you meet many of its requirements, while improving your overall security posture.

  • “(D)esignates one or more employees to coordinate the security program” (§ 4.(2)(A)(1))
    • This can be done in coordination with the Arctic Wolf Concierge Security™ Team.
  • “(I)dentifies reasonably foreseeable internal and external risks”(§ 4.(2)(A)(2))
    • The Arctic Wolf™ Managed Risk offering provides internal and external vulnerability assessment and management capabilities to understand such risks—however, that doesn’t exempt an entity from performing a separate risk assessment to cover process, policy, and physical areas of risk.
  • “(S)elects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract” (§ 4.(2)(A)(5)) -
    • Arctic Wolf acts as your service provider to monitor your systems and assess/manage vulnerabilities in those systems.
  • “(D)etects, prevents and responds to attacks or system failures; and regularly tests and monitors the effectiveness of key controls, systems and procedures” (§ 4.(2)(B)(3 and 4))

Learn more about how Arctic Wolf can help you meet the cybersecurity challenges of your industry.