As more and more attacks are occurring each year with a record 4.1 billion records breached in just the first half of 2019, according to Forbes– data security regulation is becoming more of a priority. Just as we suspected with the signing of the GDPR regulation in the EU, similar regulation has sprung up in the U.S with the CCPA on the west coast in California and most recently spreading to the east coast in New York with the signing of the ‘Stop Hacks and Improve Electronic Data Security’ or NY SHIELD Act.
NY SHIELD Act Timelines & Deadlines
As of October 23rd, 2019 the SHIELD Act requires the recording of data breaches. However, the deadline for adopting ‘reasonable security measures’ does not come into effect until March 21st, 2020.
What this means is that if the NYDFS (NY State Information and Security Breach and Notification Act) laws did not affect your organization previously but now does under the new NY SHIELD Act, then you must implement a proper Data Security program before March 21st, 2020. In the event of a data breach (which you must record), you must have a data security program in place otherwise failure to do so will result in being noncompliant and will result in fines.
Overview of NY SHIELD Act Protection
Previously the New York State Information and Security Breach and Notification act held businesses to some standards around protecting private information and disclosing any breach of that data to the New York residents whose private information was exposed. The NY SHIELD Act has expanded this regulation further.
The SHIELD Act:
- Expanded the definition of private data to include private information such as a New York resident’s name in combination with a social security number and driver’s license plus the following:
- Biometric information like fingerprints or retina scans
- A combination of username and passwords, security questions and answers, that can be leveraged to access a person’s online account.
- Credit card numbers, not requiring the security code, which can be used to access a person’s bank account.
- Expanded definition of a data breach:
- Previously a breach was defined by the NYS Information and Security Breach and Notification Act as the unauthorized acquisition of private information, now it is defined more broadly as the unauthorized access to private information.
- The definition of access includes viewing, downloading or copying private information. Being able to prove who accessed a file and how is more important than ever.
- Expanded the organizations the law applies to:
- Previously, the laws around data security only applied to entities that were conducting business in New York. With SHIELD, the law now applies to any entity in possession of an NY resident’s private information.
- Added a requirement for ‘Reasonable Safeguards’:
- Similar to CCPA for California, any businesses that license/own the personal information of a NY State resident is now required to have “reasonable safeguards” to prevent a breach of that sensitive data.
- Definition of “Reasonable Safeguards”:
- Dedicating one or more employees to carry out the implementation of a security program.
- Implementing a security training program
- Assessment and monitoring of key controls on a regular basis (Active Directory, Access management for example)
- Reasonable retention policies that dispose of private information in a timely fashion.
- Expanded the exemptions
- Organizations don’t need to notify of a breach if the exposure does not result in financial or emotional harm to the individuals whose data was breached. Or if a breach occurs inadvertently by an individual who is authorized to access the private information.
- Organizations don’t need to notify of a breach if they have already notified of the same breach under a different breach notification regulation such as NYDFS Cybersecurity Regulation, the HIPAA act, or the Gramm-Leach-Bliley Act (GLBA).
- Security programs can be tailored based on the size of the business, the nature of their business and the sensitivity of their private information.
- Extended the violation action period
- Previously the NY State Attorney General had to bring an action against a company within the first two years of the violation, this has been extended to three years.
All businesses with employees in New York must comply with the Shield Act since private information includes an individual’s name and Social Security number. Additionally, even a business without a presence in NY may be required to comply since the law also applies to any business that maintains a NY resident’s private information.
Organizational Impact of the NY SHIELD Act
Employers who possess the private information of a New York resident must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
While the SHIELD Act does not specify the type of safeguards to be implemented, it does state that an organization will only be deemed to be in compliance if it implements a data security program that covers all of the elements described in the SHIELD act.
NY SHIELD requires that incidents involving the private information of more than 500 New York residents be submitted to the New York attorney general within 10 days of that determination. So, understanding the scope of an incident in a timely manner is crucial.
In the event that information is exposed through intentional or unintentional disclosure, the organization must inform the effected individuals via one of the following methods:
- Phone notification
- Written notice
- Electronic notice
- Some other notification type (email, a public posting or statewide media announcement)
There is a caveat that may or may not save your organization from fines. The caveat is that issuing a notice to affected individuals is considered to be ‘not required’ if:
“… the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials… Such determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.”
- This caveat is dependent on having a strong understanding of the access to the exposed data. Without that understanding, you will be unable to determine how likely the misuse of private data will be.
- Do you know who has access to your NY state resident’s personal information or even where it all is? Could you figure that out within 10 days of an incident?
Employee Impact – HR is Critical
An integral piece of leading a successful data security program involves proper training. This means designating an employee or employees to coordinate and implement the data security program. With the SHIELD requirements there are a few important pieces to consider for your HR department:
- The designation of an HR team member or members to coordinate the data security program
- Ensure that whoever/whichever team is given this responsibility has the bandwidth to effectively coordinate, implement and train employees.
- The training and management of employees in the security programs practices and procedures
- Employee training should focus on properly handling sensitive information.
- Investigation and the contractual binding of service providers to safeguard private information
The human resources team is an integral piece in coordinating, implementing and training your organization in the various components of the data security program. Without the HR team’s involvement, proper execution of the data security program will be at risk and jeopardize your organization from being ‘deemed to be in compliance with’ this SHIELD standard.
Consequences of Noncompliance
This will not be enforced by private entities but by the Attorney General’s office itself. With the new legislation, if organizations fail to comply by not notifying affected individuals, those individuals may be entitled to monetary compensation. (Article 63 of the civil practice law and rules)
“Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to [ten] TWENTY dollars per instance of failed notification, provided that the latter amount shall not exceed [one] TWO hundred fifty thousand dollars.”
While a $5,000 fine isn’t a huge deal, this can easily balloon up to $250,000 in the event of a large breach. This might not financially hurt an enterprise business but this could potentially close the doors on a small-mid sized business. I would note however that while an enterprise may not really be affected financially, the reputation of an enterprise business is always at stake in these scenarios which could indirectly affect revenue.
What to Look for in a Data Security Program
To be NY SHIELD compliant companies must implement a data security program, but what does this mean?
Your data security program should check off the following criteria in order to be considered to have ‘reasonable safeguards’ :
- The ability to identify sensitive content which contains PII across your organization’s environment.
- Understanding where your sensitive data exists is imperative to protecting it.
- Visibility in assessing internal and external risks and controls to reduce those risks.
- Upholding proper retention policies which destroy private information within a reasonable period of time after it’s no longer required to conduct business
- The ability to assess access to sensitive information.
How STEALTHbits Will Help You be NY SHIELD Complaint
Here at STEALTHbits, our mission is to protect your sensitive data and the credentials and we do it at each layer of the stack, providing the most holistic security program in the market.
1. Protect your data
- Unstructured and structured data discovery and classification
2. Protect your systems
- Activity monitoring and threat alerting for your servers and desktops
3. Protect your credentials
- No amount of security on the perimeter matters once Active Directory is compromised. We will help you clean up stale/inactive/over-provisioned accounts and reduce your attack surface by auditing and monitoring Active Directory.
- Automated workflows to keep a least privileged access model across your domain.
The NY SHIELD Act has expanded and redefined a number of cybersecurity protocols which makes things easier in some cases and harder in others. STEALTHbits addresses all of these:
- Redefinition of Private Information
- We can look for all of the criteria stated in the legislation.
- Expanded definition of a data breach
- Remediating access will initially help reduce the likelihood of private information being improperly accessed. In the event that this happens, we can help your organization understand whether or not it needs to report a breach or not based on our ability to audit access to information as well as the activity around the data in question.
- Implement reasonable safeguards
- Leveraging STEALTHbits for your data security program is more than sufficient in proving that you’ve implemented a data security program. We can tailor reports to fit your unique environment and give you visibility into all of the areas which NY SHIELD requires you to understand.
We believe that the security of your data is more than just controlling who has access to it, the security of this data relies on the security of Active Directory – Furthermore, the security of Active Directory relies on the security of the desktop and server infrastructure that Active Directory is most commonly compromised from. Having the ability to provide security around those 3 key areas is what makes STEALTHbits the most holistic security software on the market.
Chris studied Information Systems at Hofstra University before joining STEALTHbits where he took on the role as the Technical Product Manager of SharePoint, Dropbox and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled and orphaned animals.