New York Latest State Requiring Businesses to Adopt Reasonable Cybersecurity Safeguards to Protect Private Information

Posted on: 8/13/19 by John J. Unser

“Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT) was signed into law on July 25, 2019

New York Governor Cuomo signed the SHIELD Act into law on July 25, 2019. The law amends the existing data breach notification law and adds new cybersecurity requirements. 

The SHIELD Act takes effect March 21, 2020.

New York is the latest state, joining California, Massachusetts and Colorado,  to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. The implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing is mandated by New York's law. The law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

“The approval of 23NYCRR 500 (DFS) and now the SHIELD Act prove New York State is taking cybersecurity very seriously. For years Marvin and Company has been assisting banks, insurance companies and law firms with DFS compliance. We are excited to assist our small business clients to ensure they understand and meet the new SHIELD regulation.”
– John Unser, CISO, IT Director, Marvin and Company, P.C.

The SHIELD Act requires implementation of an information security program to protect “private information” defined as:

  • any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
  • individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

In order to achieve compliance, an organization must implement a data security program that includes:

Administrative Safeguards
Persons and Businesses possessing Private Information must now implement reasonable administrative safeguards, as listed in the SHIELD Act:

  • Designation of one or more employees to coordinate the Businesses’ security program
  • Identification of internal and external security risks
  • Assessment of the sufficiency of safeguards in place to control identified risks
  • Training and management of employees in the security program practices and procedures

Reasonable Technical Safeguards
Newly imposed technical safeguards specified in the SHIELD Act are:

  • Assessment of risk in network and software design
  • Assessment of information processing, transmission and storage risk
  • Detection, prevention and response to attacks and system failures
  • Regular testing and monitoring the effectiveness of key controls, systems and procedures

Reasonable Physical Safeguards
The following physical safeguards are listed in the SHIELD Act:

  • Assessment of risks of information storage and disposal
  • Detection, prevention and response to physical intrusions
  • Protection against unauthorized access to or use of private information during and after its collection, transportation and destruction or disposal
  • Disposal of Private Information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that information cannot be read or reconstructed
  • Selection of service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
  • Adjustment of the security program to address business changes and new circumstances

Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected.

Important note: Organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.

Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 imposed against an organization and individual employees for “each violation.” Depending on how the Attorney General seeks to apply this provision, this could potentially lead to significant monetary penalties for entities and their employees who fail to take required protective measures, including when those failures lead to a data breach. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. Indeed, absent future clarification, the Attorney General may seek civil penalties to enforce reasonable cybersecurity safeguards even in the absence of a data breach. Of course, any enforcement activity by the Attorney General’s office will also have other damaging consequences, such as reputational harm and raise supply chain issues with the firm’s business partners.

At Marvin and Company P.C. we have a long history of assisting our clients with their IT security needs. Whether your organization needs to meet HIPAA, DFS or SHIELD compliance or simply wants to verify the corporate infrastructure is secure, our team of professionals can help. Some of the IT services we’ve provided to our clients include IT audits, vulnerability assessments, policy creation, information security program creation and penetration testing, among many others.

For a full listing of our services please visit: https://www.marvincpa.com/our-services/a-history-of-shaping-futuresthrough-it-advisory-services/.

Marvin University

The Marvin University professors are here to help your organization. see our list of upcoming educational events and download past sessions.

Community Involvement

We not only provide professional services to the not-for-profit industry, we provide our own time and resources.
Learn more here.

Careers

Start shaping your future at Marvin and Company today.