Even though the City that doesn’t sleep seems a little sleepy, compliance and regulation still don’t.  One of the newest laws to hit the books for New York businesses was the SHIELD (Stop Hacks and Improve Electronic Data-Security) Act.  This law went into affect on March 21, 2020, while we were all trying to get our employees a way to work from home.

The SHIELD Act requires anyone (business or person) licensing information that includes private information of a resident of New York to implement and maintain “reasonable safeguards” to protect that information.  What is included in private information could be the username or email address in combination with a password that would gain access to an account or any personal information including social security number, drivers license number, other government ID number, credit or debit card information, other financial account numbers, biometric data, etc.

However, if this information is protected through encryption and the encryption key used to protect the information was not lost or leaked in the process, this data does not apply.  If this data is also available from a government record, it also is except.

Any small business (less than fifty employees, under $3m in Gross annual revenue, or less than $5m in assets) is compliant if it maintains reasonable administrative, technical and physical safeguards that are appropriate to the complexity and size of the business, the nature of its activities, and the sensitivity of the information it collects.  Also, if the business is already in compliance with GLBA, NYC RR 500, or any other data privacy rules/regulations administered by the State of New York or the Federal Government.

Businesses covered by this law may be liable for penalties up to $5,000 per violation.

The act sets out to assign some guidelines about what these safeguards should include:

Administrative Safeguards

The Act stipulates that one or more employees should be assigned to coordinate the security program, identify reasonably foreseeable internal and external risks, assess how sufficient the safeguards in place are to control these identified risks, train and manage employees in the security program’s practices and procedures, select appropriate service providers capable of maintaining these safeguards, and adjust the program as needed to business change.

What it doesn’t specify is if an outside third party can act as this coordinator. It specifically says employee. In other regulations, its common to allow a third party to be the data privacy officer or similar position.

Technical Safeguards

The SHIELD Act requires the business to assess the risks in the design of its network and the software it uses; how information is processed, transmitted and stored; detect, prevent and respond to attacks and system failures, and regularly test and monitor the effectiveness of key controls, systems and procedures.

Physical Safeguards

Businesses must assess the risks of information storage and disposal, detect, prevent, and respond to intrusions, protect against unauthorized access or use of private information during or after the collection, transportation and destruction, or disposal of the information, and dispose of private information within a “reasonable amount of time” after it is no longer needed for business purposes by erasing electronic media so that the information cannot be reconstructed.

Is your cybersecurity program following a framework?

If your business is following a security framework such as the NIST Cybersecurity framework, CIS 20, or the meta-framework Secure Controls Framework, you are likely all set.  You can easily map the work you are already doing to this regulation and see that you mean all of the requirements.   These frameworks provide a blueprint of how a security program can be structured so that as new regulations come out (and they will) your business is ready while your competitors are scrambling to piece together policies to make a square peg go into a round whole.

More and more regulations are codifying the basic tenants that these frameworks stipulate.  The homage to the NIST Cybersecurity framework in the technical safeguards section of this Act, is a clear result of this. If you are looking for a way to jump start your security program, need help in deciding which framework to base your security on, give us a ring. We’d be happy to help guide your business to a more secure future.