On March 21, 2020, companies will need to comply with yet another data privacy and security law when the New York Stop Hacks and Improve Electronic Data Security Act ("NY SHIELD Act") takes effect. The SHIELD Act is unique in that it doesn’t just apply to covered persons and businesses conducting business in New York, but to any person or business holding personal information of New York residents.
Fortunately, implementing the data security provisions in the SHIELD Act won’t be too much of a burden for those already complying with existing state data security laws.
Among other things, the NY SHIELD Act requires that companies adopt reasonable safeguards to protect the security, integrity, and confidentiality of sensitive personal information, referred to as “private information.” Private information includes social security number, driver’s license number, financial account information, biometric information, and username and password. The unauthorized access to, or acquisition of, private information may require notification to affected individuals and regulators under the New York data breach notification law, which the Act amends.
The NY SHIELD Act identifies certain requirements of a data security program that, if implemented, will render a business compliant. These include reasonable administrative, technical, and physical safeguards:
1. Reasonable administrative safeguards such as the following, in which the person or business:
|
- Designates one or more employees to coordinate the security program;
- Identifies reasonably foreseeable internal and external risks;
- Assesses the sufficiency of safeguards in place to control the identified risks;
- Trains and manages employees in the security program practices and procedures;
- Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- Adjusts the security program in light of business changes or new circumstances.
|
2. Reasonable technical safeguards such as the following, in which the person or business:
|
- Assesses risks in network and software design;
- Assesses risks in information processing, transmission and storage;
- Detects, prevents and responds to attacks or system failures; and
- Regularly tests and monitors the effectiveness of key controls, systems and procedures.
|
3. Reasonable physical safeguards such as the following, in which the person or business;
|
- Assesses the risk of information storage and disposal;
- Detects, prevents and responds to intrusions;
- Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
|
If these requirements seem familiar, it’s likely because many of them are already required by similar laws in Oregon, Massachusetts and Colorado (among others), and by then-California Attorney General Kamala Harris in her 2016 Data Breach Report, as part of the minimum standards for information security programs of companies that maintain sensitive personal information about residents of those states.
Moreover, if your organization already complies with one of the recognized data security standards, like National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), or International Organization for Standardization (ISO), then that compliance should be sufficient to comply with the NY SHIELD Act.
Recognizing potential burdens to small businesses, the NY SHIELD Act provides a limited buffer to persons and business that have fewer than 50 employees, less than $3 million in annual gross revenue (in each of the last 3 fiscal years); or less than $5 million in year-end total assets (calculated in accordance with GAAP). Such businesses need only show “reasonable” safeguards appropriate to their size and complexity. New York carves out from the requirement organizations that are otherwise regulated by federal law, such as under the Gramm Leach Bliley Act (GLBA) for financial institutions, or the Health Accountability and Portability Act (HIPAA) for healthcare organizations.
So, what should you do if your organization is required to comply with the NY SHIELD Act?
1. Identify whether your organization has an existing Written Information Security Plan, or WISP. Since there are existing laws in a handful of other states that require a WISP, you may already be in compliance with the NY SHIELD Act.
|
2. Confer with your Information Security or Technology Team to determine if the organization complies with one of the recognized security standards, like NIST, ISO or CIS, as compliance with one of those standards should satisfy the requirements of the New York law.
|
3. If your organization neither has a WISP nor adheres to a data security framework, now is an excellent time to evaluate your data security practices and ensure compliance with the various requirements. You can do that by:
|
- Designating an individual or a small team to coordinate a data security program;
- Retaining an outside vendor to conduct a risk assessment for you and identify threats to your environment;
- For each identified risk, implementing a control or strategy to mitigate the risk, including end-point monitoring, increased logging, and multi-factor authentication;
- Developing a data retention policy that includes a secure method of disposing of sensitive data when it is no longer needed for business purposes – note that many laws require you to depose of sensitive information in a proscribed, secure manner;
- Training your employees on data security risks to help mitigate threats to your organization from an ill-prepared and untrained workforce;
- Documenting these efforts and preparing a WISP that complies with the requirements of various data security laws.
|
With data security breaches continuing to be an increased threat to businesses and the confidentiality of sensitive personal information, companies can expect more states to follow suit and implement similar requirements. While these laws can seem costly and burdensome, keep in mind that the goal is to help companies prevent and respond to data security incidents, the cost of which can far outweigh the cost of creating and maintaining an appropriate data security program.
[View source.]
