Since the advent of the GDPR, a number of data protections laws have started to spring up that are following a similar type of theme. Of course, given that 4.1 billion records were breached during the first half of 2019, it was really just a matter of time until the authorities were forced to step up their game.
On the 28th of June, 2018, we saw the California Consumer Privacy Act (CCPA) signed into law, and now we have the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, an updated version of the existing NYDFS (NY State Information and Security Breach and Notification Act), which came into effect on the 25th of July, 2019.
The New York SHIELD Act introduces more stringent requirements for recording data breaches, and a failure to adhere to these requirements can result in fines of up to $250,000, depending on the severity of the breach. Although the law came into effect in July 2019, businesses are granted until March 21st, 2020, to implement ‘reasonable security measures’, or in other words a comprehensive data security plan.
The Latest Amendments to the New York SHIELD Act
As mentioned, the NY SHIELD Act is an extension of the existing NYDFS, and consists of the following improvements/amendments:
Expanded definition of private data
The definition of “private data” has been expanded to include any PII that can be combined to reveal the identity of a New York state resident. This might include a Social Security number combined with a driver’s license, security questions and answers, usernames and passwords, and so on. And of course, it will cover biometric data, such as retinal scans and fingerprints, as well as payment card information, medical data, and so on.
Expanded definition of a data breach
The NYDFS defines a data breach as “unauthorized acquisition of private information”. Now, under the NY SHIELD Act, it is defined as “unauthorized access to private information”, where “access” refers to the viewing, copying or downloading of private data. New York businesses must ensure that they know exactly how their private data is being accessed, including who has access to what data, and when.
Extended territorial scope
One of the most notable and controversial features of the GDPR was its extended “territorial scope”, which meant that any organization that processes personal data belonging to EU citizens, wherever they are located in the world, are technically bound by the law. The NY SHIELD Act has enacted a similar approach. Now, the law doesn’t only apply to organization operating in NY, but to any organization that processes private data belonging to NY residents.
As with the GDPR and the recent CCPA, organizations are required to have “reasonable safeguards” in place to prevent a data breach. Such safeguards include appointing a data protection officer to implement and maintain a data security program, as well as implement an ongoing training program. Organizations must also ensure that they are adequately controlling and monitoring access to their critical assets, and they must have procedures in place for the prompt disposal of private data.
Both the number and type of exemptions have been extended and clarified. For example, organizations are not required to notify the authorities following a breach, if:
- the incident doesn’t cause any financial damage or emotional distress to the effected individuals
- the data was accidentally breached by an individual who had legitimate access to the private data
- they have already reported the breach under a different regulation, such as GDPR, HIPAA, PCI-DSS, GLBA, and so on.
Extended violation action period
Previously, if an organization were to fall victim to a data breach, and they failed to comply with the NYDFS, action must be taken against them within two years of the violation. However, under the NY SHIELD Act, this has been extended to three years.
How Can Organizations Comply with the NY SHIELD Act?
As you might expect, the steps an organization should take to satisfy the compliance requirements of the NY SHIELD Act are not much different than the steps that should be taken to comply with the GDPR, or any other data protection regulations.
Most of the steps orientate around gaining as much visibility as possible into how private data is being accessed, modified, moved and deleted. Below are some simple steps that can help you achieve compliance quickly and efficiently:
Data discovery and classification
It goes without saying that an organization can only protect their private data is they know what private data they have, and where it is located. There a number of commercial tools that will automatically discovery and classify a wide range of PII, including Social Security numbers, driver’s license numbers, bank account details, passport numbers, and more.
Implement a data retention policy
It is good idea to only collect and store private data if it is absolutely necessary. Organizations must ensure that they have a data retention policy in place which details what data they will collect, how, and for how long they will keep it. The policy should also include details about how data should be disposed of when it is no longer required.
Implement an access control policy
Organizations must have an access control policy in place, which determines who should have access to what data and why, and they will need to keep an up-to-date inventory of all access controls that are assigned.
Adopt a real time alerting platform
In addition to monitoring changes to access controls to protect against “privilege escalation”, organizations must also monitor all access to private data. If a user account is accessing private data in a way that is not typical for that particular user, a real-time alert should be sent to the relevant staff for immediate review.
Use an advanced reporting console
Most data security platforms provide an advanced reporting console, which enables admins to quickly and effortlessly generate reports that can be sent to the supervisory authorities, as and when required. Most solutions provide a wide range of pre-defined reports that are customized to satisfy the relevant compliance requirements.