New York SHIELD Act: What You and Your Business Should Be Aware Of
By Max Winterburn, Director of Business Operations, and Michael Russell, Security Analyst II
Securing your information and infrastructure in the past was never a worry for top-level executives. When an auditor came into your organization, they would ask generic questions; “where are your servers, do you have a lock on your door? … Okay, you’re good.”
Those days are over. Compliance and regulatory requirements have evolved with the ever changing threats to information and infrastructure.
Attacks on people’s data and infrastructure are becoming increasingly more sophisticated and harder to keep track of as the world continues to evolve. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was passed into law by New York State in July 2019, and came into play March 21, 2020. With this having just passed, businesses have been scrambling to find out what exactly is involved in complying with the new legislation, while the hackers continue to fine tune their attacks with more precision and intricacy.
What is the goal, and who is affected?
The goal of the SHIELD Act is to improve data security and stop hacks. The Act will require any person or business that owns, or licenses computerized data including private information of a resident of New York State to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information. Virtually any business which owns or licenses computerized data and private information of their employees or customers, who are New York residents, are required to comply with the NY SHIELD Act.
What deadlines should I be aware of?
The NY SHIELD Act requires the notification and recording of data breaches starting on October 23, 2019. The deadline for adopting reasonable security measures and implementing the security program is March 21, 2020.
What are the requirements?
The NY SHIELD Act is divided into administrative, technical and physical requirements. The requirements include but are not limited to the following breakdown:
‣ Administrative requirements: focuses on who coordinates the security program (CISO or equivalent), identifying risks to the organization, implementing regular security assessments to control and prioritize risk, manage third-party providers and to implement training for staff on security.
‣ Technical requirements: concentrates on network and technical risk to the organization (vulnerability management and data flow), detection and response to breaches, and regular testing and assessing of the systems to check that vulnerabilities cannot be exploited.
‣ Physical requirements: assesses the storage and disposal of data, access controls (both to systems and physical location), and retention periods for private information.
In addition to the above requirements, organizations are required to disclose a data breach where an unauthorized agent accesses private data held by the organization. Failure to report such a data breach could result in penalties of up to $250,000.
Each affected organization should be looking to have responded to and implemented a program matching the requirements by March 21, 2020. In addition to implementing a solid cybersecurity program; organizations should look to train their staff on cybersecurity, update and create plans, policies and procedures for cybersecurity, and to perform regular cybersecurity assessments to locate any vulnerabilities that may exist and pose a threat to your infrastructure.
To contact DataSure24 with any questions on the NY SHIELD Act, email firstname.lastname@example.org or call our team at 716-600-3724.