New York SHIELD Act: The Latest Amendment to NY State’s Cybersecurity Law

New York is updating their cybersecurity laws — here’s how these changes impact your business (even if you’re not in NY)

The New York SHIELD Act. It sounds like it something straight out of a popular superhero movie franchise.

However, although it may share the name of an elite defense organization from the blockbuster movie series, the recently passed New York SHIELD Security Act is very real and may impact businesses inside and outside the state. It’s an expansion of the existing New York data security law and General Business Law (GBS §899-AA), and marks the creation of §GBS 899-BB, by adding to the section on breach notifications, updating definitions, and adding new cybersecurity requirements.

In this article, we’ll dive into what the New York SHIELD
Act is, how it affects your business, and what you can do to be compliant with
this update to the New York cybersecurity law.

Avengers, assem — I mean…

Let’s hash it out.

New York SHIELD Act: What It Is and How It Applies to Me

What the SHIELD Acronym Stands For

The “SHIELD” in the New York SHIELD Security Act (Senate Bill S5575B) stands for “Stop Hacks and Improve Electronic Data.”

I wonder how much time they spent coming up with the full
name for the act that would match that acronym…

What SHIELD Is

Graphic: Gavel representing New York SHIELD Law

The SHIELD Act is an expansion of the state’s existing data breach law. Although it isn’t poised to protect New Yorkers from an alien invasion, it does aim to protect the state’s residents from personal and private information exposure due to cyber hacks. It does this by making the organizations they work for or do business with responsible for the safety and security of their data.

Should the information be exposed through intentional or
unintentional disclosure, the organization must provide notice to any affected
individuals via:

  • written notice,
  • electronic notice,
  • phone notification, or
  • another notification method (such as email, a
    public posting, or an announcement via statewide media).

The disclosure about the breach must be made expediently and
“without reasonable delay.” However, there is one very important caveat. Notice
to affected individuals is considered “not required” if:

… the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials… Such determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.”

The Act Covers Two Types of Info

What kinds of info does the New York SHIELD Act specify need protection? This information includes:

  • Personal Information. This refers to “any
    information concerning a natural person which, because of name, number,
    personal mark, or other identifier, can be used to identity such natural
    person.”
  • Private Information. This includes a
    variety of information such as a person’s Social Security number, driver’s
    license or another ID card number, financial or account related information
    (such as credit cards), or biometric information that’s not encrypted or is
    encrypted “with an encryption key that has also been accessed or acquired.” It
    also includes users’ login info.

Does the New York SHIELD Security Act Affect You?

Graphic: Whom the New York SHIELD Law applies to

The Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that if your business or organization has employees or customers who live in New York, this legislation may apply to you.

If 5,000 or more New York residents are notified of such a
breach simultaneously, the organization also needs to report the “timing,
content and distribution of the notices and approximate number of affected
persons” to consumer reporting agencies that the state attorney general
determines pertinent.

In the event of a data breach, for example, companies whose customers or employees include New York residents must inform the state attorney general about the intentional or non-intentional info disclosure. However, the New York SHIELD Act specifies that companies that collect health-related data must take this a step further by reporting such breaches to federal authorities as well as the attorney general.

Important Deadlines: The Act requires the recording
of data breaches starting on Oct. 23, 2019, but the deadline for adopting
reasonable security measures isn’t until March 21, 2020. For organizations that
did not follow the New York Department of Financial Services (NYDFS)
regulations previously, they must increase their protections by the March 21
deadline to avoid regulatory scrutiny.

This means that if the NYDFS laws didn’t affect your
business before but does now, you’d better get your act in gear sooner rather
than later to ensure compliance.

What the New York Data Security Act Specifies:

According to the New York SHIELD Act:

This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.”

The new act of the cybersecurity law defines boundaries, security
requirements, enforcement, and consequences for employers who fail to follow
these standards and best practices. It also serves as an amendment of the
general business law and the state’s technology law concerning notifications of
security breaches.

The text provides updated definitions for multiple terms,
including “personal information,” “private information,” “breach of the
security of the system,” and “biometric data.” This is important as many
companies are using biometric technology and data for employee authentication
and time-management tasks.

All of this is great news for consumers — except for one important caveat: The Act doesn’t create a private right of action for affected residents. Much like the California Consumer Privacy Act (CCPA), enforcement of the New York SHIELD Act is provided by the state attorney general’s office. This means that if someone is financially or personally affected by the disclosure of their information, it’s up to the state’s attorney general to bring action in their name and on behalf of the state’s population.

But what are the risks for businesses who are not compliant
with the new SHIELD Act?

The Consequences of Noncompliance

Although the New York data security act isn’t enforced by
individuals in robotic suits or colorful, star-spangled uniforms, it’s still
trying to stand as an imposing force. If you’re a small to midsize business
that handles New York residents’ data, you especially need to take it seriously
— or else it can cost you dearly.

If an organization doesn’t comply with the regulation by
notifying their employees or customers of any disclosures, the new legislation
states that preliminary relief may be granted (under Article 63 of the civil
practice law and rules) to the victim. If any New York resident who is entitled
to notification of an information disclosure doesn’t receive one but suffers
losses or damages as a result of the disclosure, the court can award damages
for actual costs or financial losses they incur. Furthermore:

Whenever the court shall determine in such action that a person or business violated this article  knowingly or recklessly,  the court may impose a civil penalty of the greater of five thousand dollars or up to [ten] TWENTY dollars per instance of failed notification, provided that the latter amount shall not exceed [one] TWO hundred fifty thousand dollars.”

Penalties of $5,000 may not be a big deal. But considering
that it can be up to $250,000, now we’re talking some serious dough for small
businesses.  While this won’t make much
of a dent in the coffers of an enterprise, it can cause a small or midsize organization
to close its doors.

How You Can Make Your Business Compliant with the SHIELD Security Act

To comply with the new act, businesses of all sizes need to
assess their existing IT infrastructure, resources, devices, policies, and
access controls. For example, to ensure your organization is compliant and to
reduce the risk of data exposure:

  • Check for Vulnerabilities. Review and
    test your network, devices, and other IT systems for any internal and external
    vulnerabilities. This can include performing cyber risk assessments and
    penetration tests. Perform your due diligence to mitigate risks ahead of time.  
  • Review and Implement Access Control.
    Regularly review and update your list of employees to determine who has access
    to what, and whether each person’s level of access is necessary based on their
    job and responsibilities. Minimize the number of users with access to personal
    and private data to only those who need it. This can include the use of
    policies of least privilege (POLP).
  • Review and Update Your Existing Policies and
    Procedures.
    To ensure that your organization is prepared to respond to a
    data breach, be sure to review and update your existing incident response (IR)
    and disaster recovery (DR) plans. If your organization doesn’t have any such
    plans, now’s the time to create them!
  • Implement Cyber Training for Employees.
    Ensure that all of your employees — everyone from the CEO on down to the
    janitorial staff — are operating with cyber security best practices in mind.
    Training also can provide them with knowledge about how to safely identify and
    respond to potential threats such as phishing emails.
  • Review How You Store and Dispose of Private
    Information.
    This SHIELD New York data security law dictates that when
    you’re done using personal and private data, you can’t just get rid of it any
    ol’ way. It specifies that businesses must assess risks relating to information
    processing, transmission and storage. It also states that you need to dispose
    of private information “within a reasonable amount of time after it is no
    longer needed for business purposes by erasing electronic media so that the
    information cannot be read or reconstructed.”
  • Implement Encryption. When dealing with sensitive
    private and personal information, it’s generally a best practice (and a smart
    business move in general) to use encryption to help keep that info secure. Use
    SSL/TLS certificates to protect data in transit on your website or mail server.
    S/MIME certificates add the benefit of encrypting data at rest to secure data when
    it sits on your server. Another great encryption method includes database
    encryption. These tools can help you to ensure that only the people who are supposed
    to see information have access to it.

TL;DR: What Does All of This Mean?

In a nutshell, the New York SHIELD Act specifies that companies that handle, store, or use New York residents’ personal and private information are required to implement specific data security measures and to report any breaches within a timely manner (or risk facing enforcement from the state’s attorney general).

The New York SHIELD Act dictates that organizations with
existing security protections will need to improve their assessment standards
and tools. Employers and companies who lack any type of security systems and
testing practices will be required to adopt a new security infrastructure. Any
organizations that fail to do so could face civil penalties that cost up to
$250,000.

However, there are things you can do to protect your
organization, employees, and customers:

  • Run cyber risk assessments and pen tests to
    identify vulnerabilities.
  • Maintain up-to-date employee access lists.
  • Review and update any existing policies and
    procedures; create new ones as necessary.
  • Make cyber awareness training mandatory for all
    employees.
  • Assess risks in information processing and use
    proper data storage and disposal techniques. 

We hope that this article provided you with useful insights about the New York SHIELD Act that you can use to make important decisions for your business and best serve your customers.

As always, leave any questions or thoughts in the comments!


*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/new-york-shield-act-the-latest-amendment-to-ny-states-cybersecurity-law/