The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is a data privacy law that applies to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York. The law, which came into effect on March 21, 2020, was designed to extend the existing NYDFS (NY State Information and Security Breach and Notification Act) by imposing more stringent data security and breach notification requirements.
What is the New York SHIELD Act?
The New York SHIELD Act applies to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York.
Unlike other data privacy regulations, which use the term “personal information”, the SHIELD Act uses the term “private information”. The definition of “private information” is significantly broader than what was specified in the NYDFS. For example, for SHIELD compliance, private information also includes biometric information, credit/debit card numbers, and credentials used for online accounts. Likewise, the new law expands the situations that could result in a data breach. For example, under the NYDFS, the covered entity would only be required to notify the authorities if private information was acquired by an unauthorized party. Now, covered entities must notify the authorities if private information has been (or may have been) accessed in any way by an unauthorized party.
SHIELD Act Safeguards
When it comes to complying with most data privacy regulations, there are a number of administrative, physical, and technical safeguards that need to be provisioned. As is often the case with data privacy regulations, you are required to guess what these safeguards should be, or at least ask Google for help. So what needs to be done to keep private information out of the wrong hands and respond to data breaches in a fast and efficient manner?
The first step towards SHIELD compliance would be to appoint one or more data security officers who will be responsible for developing, implementing, and maintaining your data security program. The appointed staff will be required to carry out risk assessments and document the relevancy and effectiveness of your existing security controls. They will be required to establish a comprehensive set of policies that will cover a broad range of topics including access control, device management, acceptable use, patch management, incident response, on-boarding/off-boarding, and have the necessary procedures in place to ensure that business associates are able to adhere to the compliance requirements of the SHIELD Act. The appointed data security officers will also be required to develop and deliver security awareness training to all staff, and ensure that all staff members are aware of the consequences of failing to comply with your company’s security policies.
Firstly, you must ensure that all physical servers and storage devices are protected from unauthorized access. This may require the use of ID badges, locks, alarms, CCTV cameras, and so on. Likewise, all printers, photocopiers, and scanners must be secured, and you must have policies in place that describe the process for securely destroying sensitive data that is no longer relevant, which might include the use of paper and disk shredders, disk degaussers, and so on.
As a starting point, you will need to carry out various assessments to gain an understanding of the strength of your existing security posture. You will need to assess your perimeter security, software security, storage facilities, auditing capabilities, and so on.
Tips for Achieving SHIELD Compliance
Below are some of the key tips that will bring you a step closer to SHIELD compliance.
1. Discover & classify your private information
It is common for organizations to have large amounts of private information scattered across their network. They will have private information stored in spreadsheets, cloud storage, Desktops, and mobile devices, and in some cases, private information is shared via email and other communication methods. Having sensitive data spread across multiple locations makes it very difficult to keep track of who has access to it. And if you don’t know who has access to your private information, SHIELD compliance will not be a realistic goal. As such, from a technical perspective, the first step towards compliance would be to discover and classify your private information. Fortunately, there are many data classification solutions that will scan your repositories, across multiple locations and platforms, and automatically discover and classify any data that is covered by the SHIELD act. At this stage, it is also a good idea to clean out any data that you don’t need, or at least archive the data in case you need it at a later date. You might want to use a change auditing solution to help you determine the relevancy of your assets.
2. Enforce “least privilege” access
Access to private information must be restricted in accordance with the “principle of least privilege”, which stipulates that users are only granted access to the data they need to carry out their duties. As such, you will need policies in place which determine how and when access to private information should be granted and revoked.
3. Monitor access to private information
As mentioned, you must inform the relevant authorities whenever private information has been accessed by an unauthorized party. Of course, in order to make such an assertion, you must have visibility into who has (and should have) access to what information, when, where, how, and for how long. Basically, anytime private information is accessed, moved, modified or removed, you must be informed about it, or at least have a clear record of the changes, which you can scrutinize in search of suspicious activity. Again, you don’t need to do this manually as there are numerous solutions on the market that will detect, alert and respond to activity involving your private information.
What are the penalties for SHIELD Compliance Failure?
For violations that are not considered to be intentional or reckless, the authorities (and the court) will assess the situation based on the amount of damage caused by the violation, which may result in a financial penalty of some sort. However, for violations that are considered to be intentional or reckless, the court may impose a fine of up to $5,000 or up to $20 per instance with a cap of $250,000.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and help you be SHIELD compliant, schedule a demo with one of our engineers or start your free trial today.