Signed into law by the Governor of New York on July 25, 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data protection law that has broadened the definition of personal information to include username and password for an online account and biometrics; requires specific data security controls for organizations to protect the personal information of New York residents; and sets specific data breach notification requirements and penalties on organizations where the data of New York residents has been compromised.
Largely an update to previous New York state laws, the SHIELD Act will go into effect on March 21, 2020 and is meant to improve cybersecurity protections and data breach notification, with penalties ranging from $5,000 per violation to $20 per failed notification (capped at $250,000). Much like what the California Consumer Privacy Act (CCPA) does for that state, if your organization collects any kind of personal information from a resident of New York State – or you exchange information with a business partner that does – the law applies to you regardless of where your organization is located.
SHIELD Act Compliance Requirements
What’s notably different about the SHIELD Act versus other related data protection laws is that it provides some criteria for compliance. The Act defines three (3) types of safeguards to measure compliance against – Administrative, Physical, and Technical – with requirements including:
- Designating and training employees to coordinate cybersecurity compliance
- Using third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract
- Assessing the risk of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage
- Applying processes and physical safeguards to detect, prevent and respond to attacks or system failures
- Monitoring and testing of the effectiveness of the cybersecurity program
- Applying processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes
- Updating the program periodically to address changes in the business or circumstances that would require the program to be changed
According to definitions in the Act, compliance can be achieved (called a “safe harbor”) if an organization meets the requirements of the GLBA Safeguards Rule, HIPAA, or 23 NYCRR Part 500 – although the Act is not clear on how an organization can prove that it is compliant with any of these regulatory regimes.
Third-Party Risk Management Considerations
In examining the SHIELD Act requirements, we see that there are several areas where third-party business relationships will have to be considered in ensuring compliance. We will use the bullets in the section above to identify these specific areas and pose several questions to determine your organization’s readiness for SHIELD Act compliance. Please review the Act’s text for a complete view of requirements. The table below should not be construed as compliance recommendations – merely questions to assess what your organization might need to address.
New York SHIELD Act
|Using third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract
|Assessing the risk of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage
Monitoring and testing of the effectiveness of the cybersecurity program
Updating the program periodically to address changes in the business or circumstances that would require the program to be changed
|Does the organization have options to maintain program flexibility including:
How Prevalent Can Help Address SHIELD Act Third-Party Risk Management Requirements
Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, assessment workflow, and remediation management across the entire vendor life cycle, with expert advisory and consulting services, network, and outsourced options to optimize your risk management program. With 50+ built-in questionnaire options – including for NYCRR 500 and other others helpful for the SHIELD Act – Prevalent can help organizations gain a 360-degree view of vendors to simplify compliance, reduce risks, and improve efficiency for a scalable third-party risk management program.
Watch for more SHIELD Act-specific questionnaire options in the Prevalent platform and be sure to contact us today with questions on how SHIELD will impact your organization. In the meantime, be sure to download our compliance white paper which details the third-party risk management requirements in multiple regulations and standards and maps Prevalent’s capabilities into those regimes.