SHIELD = Stop Hacks and Improve Electronic Data Security
What is it?
Legislature put into effect to protect private information of NY residents from unauthorized access. The SHIELD Act requirements take effect March 21, 2020.
Who does it apply to?
The law applies not only to employee information (where the employees are residents of NY) but also to private information of non-employees that the business may have (i.e. customers who are NY residents). If your business has any private information on NY residents and does not already comply with GLBA, HIPAA, DFS NYCRR 500, you are required to abide by the regulations of the SHIELD Act.
What constitutes "private" information?
- Social security number
- Driver’s license number or non-driver identification card number
- Financial account number, credit or debit card number and security code/access codes/passwords to the same
- Biometric data (fingerprint, voice print, retina or iris image or other unique physical representation of biometric data)
- Username or email address in combination with a password or security question answer that would permit access to an online account
Although a NY resident cannot bring a claim against a business directly the NY Attorney General can bring an action against a business and can recover penalties.
Penalties equal to $20 for each failure to provide the required notification or $5,000, whichever is greater, with a maximum statutory penalty of $250,000.
In addition a $5,000 penalty per violation can be imposed for a violation of the reasonable safeguard requirements.
The SHIELD Act requires businesses to develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data. The three safeguard categories required are:
- Designates one or more employees to coordinate the security program;
- Identifies reasonably foreseeable internal and external risks;
- Assesses the sufficiency of safeguards in place to control the identified risks;
- Trains and manages employees in the security program practices and procedures;
- Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and
- Adjusts the security program in light of business changes or new circumstances.
- Assesses risk in network and software design;
- Assesses risk in information processing, transmission and storage;
- Detects, prevents and responds to attacks or system failures; and
- Regularly tests and monitors the effectiveness of key controls.
- Assesses risks of information storage and disposal;
- Detects, prevents and responds to intrusions;
- Protects against unauthorized access to or use of private informant during or after the collection, transportation and destruction for disposal of the information; and
- Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Where do I start?
Create a process to identify the type of private data collected and stored on their networks, how that data is being utilized and implement controls to restrict certain access to it.
Cybersecurity Risk Assessment:
A risk assessment will identify gaps and vulnerabilities based on industry accepted frameworks and provide mitigation measures which can be implemented to defend against modern cyber security threats.
The purpose of the penetration test is to identify the path a malicious attacker would take to compromise an organization. There are many different categories of penetration tests: internal, external, web application, physical and social engineering to name a few. In the absence of penetration testing, an organization cannot verify the investments made in cyber protections are actually performing as expected.
In addition to the above priorities, organizations should work to implement controls from industry cybersecurity frameworks such as CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology).
CIS has a Top 20 list (https://www.cisecurity.org/controls/cis-controls-list/) covering a great deal of controls to secure organizations and build cybersecurity programs to comply with many industry compliance requirements.
What about Small Businesses?
Small Businesses are defined as being fewer than 50 employees, Less than $3 Million in gross annual revenue in each of the last three fiscal years, or Less than $5 Million in year-end total assets.
Small businesses are not exempt from SHIELD Act requirements if private information is stored or collected by the business. Reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities and the sensitivity of the personal information the small business collects from or about consumers are required.
Silo City IT specializes in the following capabilities and through our network of select partners, we can set you up for comprehensive SHIELD success.
We provide scalable end-to-end Penetration Testing services to identify where you're vulnerable and how to fix it. All industries, All sizes. Our unique capabilities and experience deliver in-depth analysis along with executive level reporting. The first step towards SHIELD-compliance is identifying where you're vulnerable, to prioritize and remediate in the most effective and cost efficient way possible. Penetration testing involves much more than identifying "potential" vulnerabilities and providing our clients with a list of "possible" remediations to look into. We identify, validate, and provide proof of exploitable vulnerabilities and how to fix them. Furthermore, our recommendations include Vulnerability Remediation Prioritization. Time and resources are always at a premium, so prioritizing what to fix is key.
Silo City IT follows CIS and NIST frameworks combined with experience to assist organizations in securing client and employee data == complying with the SHIELD Act.
Silo City IT can provide remediation assistance to those organizations in need of experienced cybersecurity engineers and cutting-edge cyber protection solutions. Whether you need to further protect your organization with better endpoint protection, optimize your patch management, provide better protection against network based threats, or implement state-of-the-art monitoring capabilities, we have you covered.