Posted on Oct 21, 2019
As legislative bodies continue to enact regulatory requirements reinforcing data privacy and security, the New York State legislature followed in the footsteps of several recent laws, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Companies that do business in New York State are under pressure as they face ever-increasing regulation that is imposing stronger cybersecurity requirements and more obligations on businesses handling private and personal information. Enter, Senate Bill 5575.
Senate Bill 5575, more commonly referred to as the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was enacted on July 25, 2019 as an amendment to the General Business Law and the State Technology Law updating the breach notification requirements to impose stronger obligations on businesses handling private information and personal information in an attempt to mitigate threats that contribute to identity theft. New York State Senator Kevin Thomas said “It is critical that our laws keep pace with the rapidly changing world of technology. [T]he SHIELD Act...will allow for increased accountability and diligence in regards to consumer privacy. Now more than ever, it is important that businesses protect the private information of the consumers they serve.”
While the regulation defines “personal information” as “any data about a natural person that can be used to identify the individual, it defines “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account.
The SHIELD Act defines private information data elements as:
The NY SHIELD Act incorporates two specific changes that increase an organization’s liability.
The regulation changes the definition of a data breach to “unauthorized access” which goes beyond the previous definition of “unauthorized acquisition of” data.
“Access” creates a broader definition of data breach since malicious actors do not need to exfiltrate data, just be able to access it.
The legislation applies to “any person or entity with private information of a New York Resident, not just to those that conduct business in New York State.”
Following along with the GDPR and the CCPA, the NY SHIELD Act can be enforced against organizations that operate outside of the state, so long as they have New York Resident information.
To promote risk-based security procedures appropriate to all business sizes, the NY SHIELD Act requires organizations to enact “reasonable security” practices.
The NY SHIELD Act considers an organization compliant if it complies with:
In the absence of any other data security or privacy compliance requirements, the NY SHIELD Act defines reasonable security controls as:
You can diligently manage adherence to the New York SHIELD Act by using SecurityScorecard Ratings product to instantly capture, report, and remediate real-time vendor and partner security risks that signal potential policy violations. Moreover, we break down security posture for each of the ten groups of factors so that you can more rapidly respond to potential security control weaknesses. You can also streamline vendor risk management by sending questionnaires through the SecurityScorecard Atlas product. The platform compares vendor responses to the ratings data we collect, providing real-time validation to pinpoint risk. SecurityScorecard’s continuous monitoring and real-time alerting of the external threats to an environment help maintain confidentiality, integrity, and availability—the 3 pillars of security.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.