TrustedSec - Understanding New York’s SHIELD Act

While General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) get a lot of attention, New York should not to be left out. In effect beginning on March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act (https://www.nysenate.gov/legislation/bills/2019/s5575) places additional security and privacy requirements on organizations that possess private information of New York residents, whether the organization is located in New York or not.

SHIELD defines personal information as “any information concerning a natural person which, because of name, number, personal mark, or other identifier can be used to identify such natural person”. Private information—the set of data that SHIELD requires organizations to protect—has a slightly more complex definition, but essentially consists of any of the following:

  • Social Security number
  • Driver’s license number
  • Financial account or card number with PIN or passcode
  • Financial account or card number only if PINs or passcodes are not required
  • Biometric information
  • Username or email address with password or security questions

SHIELD considers acquisition or access of private information to constitute a breach and has clear requirements for notification in the event of a breach. Breaches impacting any New York residents require notification to those residents, while breaches that impact more than 500 New York residents require businesses to notify the New York Attorney General within 10 days of the breach’s determination.

Penalties for non-compliance include liability for personal financial losses of impacted individuals, in addition to civil penalties between $5,000 and $250,000 if the non-compliance was found to be knowing and/or reckless.

To prevent those additional civil penalties, SHIELD requires organizations to “Develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, disposal of data.” The word “reasonable” can be challenging, but SHIELD goes on to describe security program requirements over three (3) general areas that will be familiar to anyone who has worked around Information Security programs: administrative safeguards, technical safeguards, and physical safeguards.

It is also important to note that small businesses as defined by the act (fewer than 50 employees, less than $3 million in revenue over the past three (3) years, and/or less than $5 million in total assets) may have different requirements.

Administrative Safeguards

  • Designation of Information Security roles
  • Regular Information Security control design assessments
  • Information Security education and awareness program
  • Third-party and vendor management program
  • System and process change control
  • Information Security Risk Assessment Processes

Technical Safeguards

  • Network and application security review and testing
  • Information processing, transmission, and storage security review and testing
  • Information Security logging and monitoring
  • Incident Response program
  • Regular testing of Information Security program and controls, systems, and procedures

Physical Safeguards

  • Risk Assessment of the storage and disposal of physical media containing in-scope data
  • Detection and prevention of and response to physical intrusions
  • Protection of physical media containing in-scope data during or after collection, transportation, and destruction
  • Data retention and data destruction processes

As breaches continue to increase in frequency, it is likely that we will see additional legislation at both the state and federal levels. The good news is that from an Information Security program and assessment perspective, many privacy, data protection, and breach notification laws are based on best practice and have a lot of overlap. This means that existing standards-based best practice Information Security and privacy programs will only require a few minor adjustments in order to achieve compliance with New York SHIELD requirements.

The post Understanding New York’s SHIELD Act appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/understanding-new-yorks-shield-act/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more