As legislative bodies continue to enact regulatory requirements reinforcing data privacy and security, the New York State legislature followed in the footsteps of several recent laws, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Companies that do business in New York State are under pressure as they face ever-increasing regulation that is imposing stronger cybersecurity requirements and more obligations on businesses handling private and personal information. Enter, Senate Bill 5575.
What is Senate Bill 5575?
Senate Bill 5575, more commonly referred to as the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was enacted on July 25, 2019 as an amendment to the General Business Law and the State Technology Law updating the breach notification requirements to impose stronger obligations on businesses handling private information and personal information in an attempt to mitigate threats that contribute to identity theft. New York State Senator Kevin Thomas said “It is critical that our laws keep pace with the rapidly changing world of technology. [T]he SHIELD Act...will allow for increased accountability and diligence in regards to consumer privacy. Now more than ever, it is important that businesses protect the private information of the consumers they serve.”
How does the NY SHIELD Act define personal information and private information?
While the regulation defines “personal information” as “any data about a natural person that can be used to identify the individual, it defines “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account.
The SHIELD Act defines private information data elements as:
- Social security number
- Driver’s license number or non-driver identification card
- Account number
- Credit or debit card number in conjunction with:
- Security code
- Access code
- Password
- Any other information that permits financial account access
- Account, credit card or debit card number if such number permits financial account access without additional identifying information
- Biometric information defined as data generated by electronic measurements of an individual’s unique physical characteristics including but not limited to:
- Fingerprint
- Voice print
- Retina or iris scan
What Is new about the NY SHIELD Act?
The NY SHIELD Act incorporates two specific changes that increase an organization’s liability.
Definition of data breach: Unauthorized access
The regulation changes the definition of a data breach to “unauthorized access” which goes beyond the previous definition of “unauthorized acquisition of” data.
“Access” creates a broader definition of data breach since malicious actors do not need to exfiltrate data, just be able to access it.
Extraterritoriality
The legislation applies to “any person or entity with private information of a New York Resident, not just to those that conduct business in New York State.”
Following along with the GDPR and the CCPA, the NY SHIELD Act can be enforced against organizations that operate outside of the state, so long as they have New York Resident information.
What is “reasonable security”?
To promote risk-based security procedures appropriate to all business sizes, the NY SHIELD Act requires organizations to enact “reasonable security” practices.
Compliance with other regulations
The NY SHIELD Act considers an organization compliant if it complies with:
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of New York
- Any other federal or NY State legislation requiring cybersecurity protections
Reasonable security controls
In the absence of any other data security or privacy compliance requirements, the NY SHIELD Act defines reasonable security controls as:
- Administrative safeguards
- Designating a responsible internal party
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of safeguards
- Training employees
- Selecting service providers who maintain safeguards
- Incorporating safeguards into service provider contracts
- Adjusting the program to meet evolving threats
- Technical safeguards
- Assessing risks in network and software design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to attacks or system failures
- Regularly testing and monitoring control effectiveness
Continuous cyber monitoring for continuous assurance
You can diligently manage adherence to the New York SHIELD Act by using SecurityScorecard Ratings product to instantly capture, report, and remediate real-time vendor and partner security risks that signal potential policy violations. Moreover, we break down security posture for each of the ten groups of factors so that you can more rapidly respond to potential security control weaknesses. You can also streamline vendor risk management by sending questionnaires through the SecurityScorecard Atlas product. The platform compares vendor responses to the ratings data we collect, providing real-time validation to pinpoint risk. SecurityScorecard’s continuous monitoring and real-time alerting of the external threats to an environment help maintain confidentiality, integrity, and availability—the 3 pillars of security.
