As we have been promising here for months, the state-level Cybersecurity regulatory requirements are starting to roll out. New York Attorney General Eric Schneiderman is the first to propose legislation to tighten data security laws and expand protections.
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) closes major gaps in New York’s data security laws, and attempts to ensure that the Equifax-class hack doesn’t happen in New York.
Under the SHIELD Act, companies would have a legal responsibility to adopt administrative, technical, and physical safeguards for sensitive data. The liability would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not. The standards are commensurate with the sensitivity of the data retained and the size and complexity of the business.
It also expands the types of data that trigger reporting requirements, from simple classifications like “customer information” to specifically include username-and-password combinations, biometric data, and HIPAA-covered health data.
The biggest impact of this first of its kind legislation is that it will provide companies with strong incentives to go beyond simply complying with the bare minimum requirements. If a covered entity obtains independent certification that their data security measures meet the highest standards of this law, then companies that do so would receive safe harbor from all state enforcement action.
“Recent data breaches have put New Yorkers at risk. We are woefully unprepared to protect against cyber-attacks, putting America’s economy in peril. While the federal government drags their feet we must act to protect New Yorkers. The SHIELD Act will serve as a blueprint for NY and the rest of the nation to follow to keep Americans safe,” said Senator David Carlucci, ( D ) 38th Senate District, NY.
The way in which this bill is being implemented suggests that the state is both serious and reasonable about what is required and how to get there.
The SHIELD Act specifically accommodates “compliant regulated entities,” which are defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them automatically co-compliant with this law’s “reasonable” security requirement.
The bill also provides that “certified compliant entities,” defined as those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards, receive safe harbor from AG enforcement actions under this law.
It further provides a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards “appropriate to the [small business’s] size and complexity”, which is clearly designed to let companies who can’t afford enterprise-level Cybersecurity protections to implement a basic SIEM solution with proper process and controls in place to at least detect and provide notification of a breach.
A notable shift in the depth to which the requirement defines customer information and differs from the NYDFS requirement in that regard is the insistence that additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data are included in coverage. So, while compliance with DFS would normally exempt a business under this law, it seems there are some details that need to be worked out. DFS does not make that distinction.
A major distinction compared to current regulations however is the requirement that any business which “holds” private information (PII) on New York residents. The current regs only apply to those “doing business” in the state.
This is the beginning of what will surely be copy-cat legislation in every state and will undoubtedly become law across all 50 by the end of 2018. The obvious action now is to get your business into compliance before the law begins to be enforced. As we have seen in the no-nonsense GDPR regs, the fines are attention-getters.
Why screw around? A simple SIEM solution with proper process and controls runs as little as a few thousand bucks a month. A pentest, vulnerability assessment, regulatory gap analysis and a compliance plan costs less than your Christmas party. All in all, less than the cost of boarding a new clerical head-count, and far less trouble.
But I guarantee you that failing to get all this in place will cost you five times more in fines and recovery costs and that assumes you don’t actually get breached. How un-cool would it be to get fined for non-compliance and get breached at the same time?
Unfortunately this time, there’s really no place to run. Just do it.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management