As more and more attacks are occurring each year with a record 4.1 billion records breached in just the first half of 2019, according to Forbes– data security regulation is becoming more of a priority. Just as we suspected with the signing of the GDPR regulation in the EU, similar regulation has sprung up in the U.S with the CCPA on the west coast in California and most recently spreading to the east coast in New York with the signing of the ‘Stop Hacks and Improve Electronic Data Security’ or NY SHIELD Act.
As of October 23rd, 2019 the SHIELD Act requires the recording of data breaches. However, the deadline for adopting ‘reasonable security measures’ does not come into effect until March 21st, 2020.
What this means is that if the NYDFS (NY State Information and Security Breach and Notification Act) laws did not affect your organization previously but now does under the new NY SHIELD Act, then you must implement a proper Data Security program before March 21st, 2020. In the event of a data breach (which you must record), you must have a data security program in place otherwise failure to do so will result in being noncompliant and will result in fines.
Previously the New York State Information and Security Breach and Notification act held businesses to some standards around protecting private information and disclosing any breach of that data to the New York residents whose private information was exposed. The NY SHIELD Act has expanded this regulation further.
The SHIELD Act:
All businesses with employees in New York must comply with the Shield Act since private information includes an individual’s name and Social Security number. Additionally, even a business without a presence in NY may be required to comply since the law also applies to any business that maintains a NY resident’s private information.
Employers who possess the private information of a New York resident must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
While the SHIELD Act does not specify the type of safeguards to be implemented, it does state that an organization will only be deemed to be in compliance if it implements a data security program that covers all of the elements described in the SHIELD act.
NY SHIELD requires that incidents involving the private information of more than 500 New York residents be submitted to the New York attorney general within 10 days of that determination. So, understanding the scope of an incident in a timely manner is crucial.
In the event that information is exposed through intentional or unintentional disclosure, the organization must inform the effected individuals via one of the following methods:
There is a caveat that may or may not save your organization from fines. The caveat is that issuing a notice to affected individuals is considered to be ‘not required’ if:
“… the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials… Such determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.”
An integral piece of leading a successful data security program involves proper training. This means designating an employee or employees to coordinate and implement the data security program. With the SHIELD requirements there are a few important pieces to consider for your HR department:
The human resources team is an integral piece in coordinating, implementing and training your organization in the various components of the data security program. Without the HR team’s involvement, proper execution of the data security program will be at risk and jeopardize your organization from being ‘deemed to be in compliance with’ this SHIELD standard.
This will not be enforced by private entities but by the Attorney General’s office itself. With the new legislation, if organizations fail to comply by not notifying affected individuals, those individuals may be entitled to monetary compensation. (Article 63 of the civil practice law and rules)
“Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to [ten] TWENTY dollars per instance of failed notification, provided that the latter amount shall not exceed [one] TWO hundred fifty thousand dollars.”
While a $5,000 fine isn’t a huge deal, this can easily balloon up to $250,000 in the event of a large breach. This might not financially hurt an enterprise business but this could potentially close the doors on a small-mid sized business. I would note however that while an enterprise may not really be affected financially, the reputation of an enterprise business is always at stake in these scenarios which could indirectly affect revenue.
To be NY SHIELD compliant companies must implement a data security program, but what does this mean?
Your data security program should check off the following criteria in order to be considered to have ‘reasonable safeguards’ :
Here at STEALTHbits, our mission is to protect your sensitive data and the credentials and we do it at each layer of the stack, providing the most holistic security program in the market.
1. Protect your data
2. Protect your systems
3. Protect your credentials
The NY SHIELD Act has expanded and redefined a number of cybersecurity protocols which makes things easier in some cases and harder in others. STEALTHbits addresses all of these:
We believe that the security of your data is more than just controlling who has access to it, the security of this data relies on the security of Active Directory – Furthermore, the security of Active Directory relies on the security of the desktop and server infrastructure that Active Directory is most commonly compromised from. Having the ability to provide security around those 3 key areas is what makes STEALTHbits the most holistic security software on the market.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.