What is SHIELD?
SHIELD stands for “Stop Hacks and Improve Electronic Data.” It is an official requirement for businesses to implement a Cybersecurity Program to keep NY residents’ data reasonably safe.
Compliance with SHIELD dictates that businesses must have a cyber security plan in place and maintain reasonable safeguards to protect NY residents’ data. SHIELD also expands on New York’s existing data breach notification laws, requiring AG notification within 10 days if 500+ NY residents were affected.
The SHIELD Act goes into full effect on March 21, 2020. The requirement for recording data breaches started on Oct. 23, 2019. Businesses that are out of compliance after March 21, 2020, could face penalties of up to $250,000.
Who is Affected?
SHIELD compliance is required for any business or person anywhere who owns, licenses, stores or processes a New York resident’s data, including:
- Email addresses
- Identification numbers (Social Security, driver’s license, etc.)
- Credit card numbers
- Account numbers
- Security questions and answers
- Biometric data
- Unsecured health information
The SHIELD Act does take the size of a business and other industry-related compliance into account and provides some exceptions/limitations:
The SHIELD Act applies differently to small businesses. SHIELD defines a “small business” as a business that:
- Has fewer than 50 employees
- Has had gross revenue of less than $3 million per year for each of the previous three fiscal years, or
- Has less than $5 million worth of year-end assets in total
While a small business still needs to comply with SHIELD, there is some flexibility regarding data security measures. However, there is no flexibility regarding breach notification requirements.
Compliant Regulated Entities
Some businesses in regulated industries, such as financial and healthcare, will be deemed to be compliant with SHIELD’s data security requirements by default.
SHIELD calls such businesses “compliant regulated entities.” These businesses must already maintain compliance with certain recognized data security standards which are considered as strong or stronger than the standards under SHIELD.
Compliant regulated entities are subject to (and compliant with) one or more of the following data security regulations:
- GLBA - Section V of the Gramm-Leach-Bliley Act (15 USC § 6801 – 6808)
- NYDFS - 23 NYCRR 500 (Part 500 of Title 23)
- HIPAA (The Health Insurance Portability and Accountability Act)
What is Required for Compliance?
SHIELD compliance covers three main areas:
The business must:
- Assess data security-related risks of network and software design and information processing, transmission and storage
- Detect, prevent and respond to attacks or system failures
- Test and monitor the effectiveness of controls, systems and procedures
Businesses must choose someone to coordinate the cyber security program and:
- Assess the internal and external risks to data and the safeguards in place to control those risks
- Train all employees on cybersecurity practices
- Select vendors who meet cybersecurity standards
- Make the necessary adjustments to the cybersecurity program as circumstances change
The cybersecurity program must cover;
- Assessing the risks of information storage and disposal
- Detecting, preventing and responding to intrusions
- Protecting against unauthorized access to, or use of, private information during or after the collection, transportation, destruction or disposal of data
- The disposal of private information in a reasonable amount of time after it is no longer needed by erasing electronic media so that it’s unrecoverable
Expanded Data Breach Notification Requirements
SHIELD expands New York’s existing data breach notification laws. Notification requirements apply to any business which owns, licenses, stores or processes New York resident’s data, even if the business is out of NY State. A breach involving more than 500 New York residents requires submitting documentation to the state's AG within 10 days of determining a breach has occurred.
Should personal data be exposed, the business must provide notice to affected individuals via one or more of the following:
- Written notice
- Electronic notice
- Phone notification
- Another notification method (e.g. email, a public posting, or an announcement via statewide media)
The disclosure about the breach must be made expediently and “without reasonable delay.”
Penalties for Non-Compliance
Currently, there is not a separate body enforcing the SHIELD Act, but court-imposed penalties can still be severe, especially for small, to medium sized businesses.
SHIELD states that preliminary relief may be granted by the courts to a victim if they were not notified of a data disclosure. If notification was not made and losses or damages are suffered, the court can award damages for actual costs or financial losses incurred.
If the court determines this article was knowingly or recklessly violated, a penalty of up to $250,000 may be imposed. Many small to medium sized business cannot survive that type of hit.
How GDF can Help
GDF has been a premier provider of cybersecurity services for over two decades. We are experienced with assisting clients in the government, financial, healthcare, education and corporate arenas.
We can assist with the key components needed to achieve SHIELD compliance:
Vulnerability assessments – This is a thorough assessment of the equipment, software, and processes of your entire IT system. We analyze your IT resources, intellectual property concerns and map your threat landscape. We take a comprehensive look at your digital assets - the things about your company that might be especially valuable or vulnerable - and identify pertinent regulatory compliance issues.
Penetration Testing - A penetration test, or pen test, is essentially attempting to break into a network like a bad actor would to identify potential threat vectors.
We can help you develop or update cybersecurity policies and procedures, so everyone has a unifying set of effective rules to follow.
We will formally document your cybersecurity efforts with clearly written reports, from initial assessments and testing, through remediation steps taken.