Stop Hacks and Improve Electronic Data Security Act

New York Information Security and Breach Law (SHIELD Act)

New York has joined the expanding list of states and countries to put in place a law that protects private information, empowering protection of data, and information security for operation that utilized PII information provided by New York residence. On July 26, 2019, Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

BILL NUMBER: S5575B Stop Hacks and Improve Electronic Data Security Act

 BILL NUMBER: S5575B New York's data breach notification law requires an organization to implement necessary safeguards to protect data and provide notification in the event of a breach. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protection from liability for certain entities. This act shall be known and may be cited as the "Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)”

Does it apply to your business?

 SHIELD Act will apply to any person or business that owns or licenses personal private data in electronic form, regardless if the person or business operates in New York. For example, a person or business may have physical operations in New Jersey, but if that office has employees and customers that reside in New York, they will be subject to the Act and its requirements. Like many recent privacy laws, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), it is becoming clear that physical boundaries will not restrict the reach of these laws and any future laws to be adopted by other states and countries.

What is private information?

is any piece of personal information that can be used to identify an individual and includes, but is not limited to, the following:

  • Full name

  • Home address

  • Email address

  • Social security number

  • Passport number

  • Driver’s license number

  • Credit card numbers

  • Date of birth

  • Telephone number

Data Security Solutions

Security policy for third-party service providers, “The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information.” 

Key provisions of these policies apply to the financial institution’s systems, including: 

  • Written policies and procedures designed to protect users from risks posed by third-party service providers

  • The identification and risk assessment of third-party service providers

  • Minimum cybersecurity practices required of third parties

  • The evaluation of third-party cybersecurity practices through due diligence

  • Periodic risk-based assessments

  • Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing:

  • Access controls, including multi-factor authentication

  • Encryption

  • Notifications to be provided to the primary organization in response to a cybersecurity event

  • ·Representations and warranties for a third party’s cybersecurity policies and procedures

 CyberSecOp drives leadership in data security solutions 

New is asking organization to assess their security risks, and then develop policies for data governance, classification, access controls, system monitoring, and incident response and recovery. The regulation calls for companies to implement, at a minimum, specific controls in these areas (see the next section) that are typically part of compliance standards.

  • Risk Assessments – Conducted periodically and will be used to assess “confidentiality, integrity, security and availability of the IT infrastructure and PII.

  • Audit Trail Designed to record and respond to cybersecurity events. The records will have to be maintained for five years.

  • Limitations on Data Retention – Develop policies and procedures for the “secure disposal” of PII that is “no longer necessary for business operations or for other legitimate business purposes”

  • Access Privileges – Limit access privileges to PII and periodically review those privileges.

  • Incident Response Plan – Develop a written plan to document internal processes for responding to cyber security events, including communication plans, roles and responsibilities, and necessary remediation of controls as needed

Organization must be able to:

  • Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

  • Protect: Employ defense infrastructure to safeguard against those threats.

  • Detect: Implement the appropriate activities to identify the occurrence of a cybersecurity event.

  • Respond: Take appropriate action to mitigate all detected cybersecurity events.

  • Recover: Restore any capabilities or services that were impaired due to a cybersecurity event.

Breach and Who to Notify?

 The SHIELD Act substantially changes the definition of a breach. Prior to the SHIELD Act, the definition of a breach was restricted to the unauthorized acquisition of private information. The SHIELD Act expands the definition to also include unauthorized access to private information. The inclusion of unauthorized access to private information will result in a substantial increase in the number of businesses that will be required to report a breach.

Security Breach Notification

 Should a breach occur, you will need to notify the impacted individuals as well as: the New York State Attorney General, the Department of State, and the Division of State Police. If the breach impacts more than 5,000 New York residents, consumer reporting agencies must also be notified. If you are already subject to HIPAA, GLBA, or the NY DFS 500 Cyber Regulation, duplicate notifications to the individual is not required.

The SHIELD Act significantly amends New York's data breach notification law and data protection requirements. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law.