On July 25, 2019 New York State Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act which expands the New York State Breach Notification Law (N.Y. Gen. Bus. Law § 899-aa). This not only expands the definition of the word “breach”, but it also requires any business collecting “private information” to implement data security controls in accordance with Section §899-bb.
This law follows a similar trend set by other states, such as California, Ohio, and Pennsylvania, requiring the safeguarding and accountability of those businesses and agencies collecting and using information of its state’s residents. The SHIELD act may good news for New York State residents, but what does it mean for New York businesses? We will look at how your organization can prepare to comply with the law which is set to go into effect on March 21, 2020.
Who has to comply?
New York State Businesses in almost all verticals and sizes are going to be impacted and required to comply with this law. It is because of the wide breadth of the term “private information” that makes this law applicable to almost all New York businesses, and those businesses without a New York State presence. Private Information is considered to be a New York resident’s;
· Social Security Number
· Driver’s License Number
· Name
· Credit/Debit Card Number
· Biometric Information (fingerprints, retina scans)
· Username or Password Which Grants Access to an Online Account.
Businesses maintaining, collecting, and using the information listed above must comply with the New York SHIELD Act. That being said, different size organizations are going to have different ways of satisfying their compliance requirements. For example, organizations with fewer than 50 employees or less than $3 million in annual revenue need only demonstrate that their data safeguards are appropriate for the size organization and complexity of their environment.
What do I need to do?
If you have reviewed the new law, it can seem vague and leave you wondering where to start. Luckily because of the laws somewhat non-prescriptive nature, it does allow latitude for an organization to reach compliance. So, let’s break it down so you can understand what you have to address, and how you can do it!
Firstly, we must understand the expansion of what constitutes a “breach”. Previously a breach was defined as an unauthorized acquisition of data. For example, if someone were to find your organization’s FTP and perform an anonymous login through PuTTY, and then siphon that data to another storage location. This would be considered acquisition of data. Now “breach” is defined as the unauthorized access of data.
Unauthorized access of data now includes; viewing, downloading, or copying data. This new definition does increase the likelihood that under the expanded breach notification law your organization may have to notify the appropriate parties of a breach, where in the past they may not have had to. This can be addressed for compliance purposes including a breach notification section in your Incident Response Plan (IRP). As always, you should consult with legal counsel before making any breach notification, or even declaring and incident as a “breach”.
Secondly, there is the newly defined “private information”. In order to comply with the SHIELD Act, organizations must implement a “data security program”. I know, could that statement be anymore vague? Here are a few things to start closing that compliance gap:
Your organization may already have a program that conforms to a certain framework for example NIST, Gramm-Leach-Bliley Act (GBLA), or CIS 20 Critical Controls. If your organization has already implemented one of these frameworks you are probably closer to compliance than you may think because these frameworks all have controls relating to safeguarding data. Below are a few steps you can take to move towards compliance;
- Conduct a data classification exercise so that your organization understands what private information you have and where it resides.
- Implement an Information Security Plan (ISP), or at minimum an Acceptable Use Policy (AUP). Both these policies will convey to staff how private information is to be handled, used, and protected.
- Institute a private information handling training program for your HR department so that they understand how to safeguard private information.
- Review your vendors and implement language within your Business Service Agreements (BSA) to contractually obligate them to safeguard private information if it must be shared. Establishing a Vendor Risk Management (VRM) program is another great way to demonstrate that your organization takes precaution with who it shares private information with.
- As with any data safeguard initiative, ensure that your organization is following the Principle of Least Privilege (PoLP). This ensures that everyone has just enough access to do their job. This can help prevent unintentional data “leakage”.
- Finally, have a third-party security come and perform a gap assessment so that you can understand where the gaps in your program are, and how most effectively to address them.
As with most regulatory frameworks the key is to show your organization’s due diligence. This means recognize the requirements and develop a plan to demonstrate how you are going to address them.
How do I get started?
Do not look at this new law as a burden, but rather an opportunity to mature a critical part of your business. We all watch the news and every day you see a company reporting large amounts of data being compromised. Everything from client information to who you do business with and how that business gets done is up for grabs. Protect your organizations’ hard-earned reputation and avoid costly fines and litigation by investing in a cyber security program.
Information security is now one of the most critical business units in your organization. Over the next few months we can expect to see this regulation get more prescriptive. If you don’t know where to start, or do not have the resources to establish a program or meet these mounting regulations, contact a trusted cybersecurity partner to assist in safeguarding your organization.