On July 25th, 2019, New York’s governor signed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act into law. NY SHIELD amends the state’s existing data breach notification law. It also expands the definition of protected data to now include biometric information. This adjustment levels up with changing times as we use fingerprints, iris/retina images, voiceprints, and more to authenticate our identities.
However, the language of NY SHIELD is deliberately vague. It presents 14 “reasonable” requirements in three broad categories. The goal of NY SHIELD is to allow each organization to determine how best to meet these requirements. That’s not to say that NY SHIELD has no teeth: Covered businesses may be liable for a civil penalty for knowing or reckless violations of up to $5,000 per violation. The maximum penalty grew 250%, from $100,000 to $250,000.
As an expert IT partner to SMBs in New York and beyond, we’ve fielded a lot of questions about NY SHIELD: “What does SHIELD mean for a so-called small business versus a large business?” “Who’s going to decide if I’m compliant?” “Do I really have to worry about NY SHIELD?” So, where should you get started? Here’s what NY SHIELD requires in plain English.
Please click on a header below to continue reading.
1.Designate someone to coordinate your cybersecurity program.
Translation: hire or assign a member of your team to be your Chief Information Security Officer. The CISO oversees corporate cybersecurity policy, writing and applying policies and procedures to not only keep protected data safe, but also the systems used to work with and store that data. A great CISO imagines threats to data security, takes systematic steps to preempt the bad guys, and trains others to do the same.
2.Identify reasonably foreseeable internal and external risks.
Translation: Think critically about potential threats to data security in terms of people, processes, and access privileges. Then consider where you could be vulnerable regarding your systems, controls, and user authentication. Write down everything that keeps you up at night. Hypochondria is your friend!
3.Assess the sufficiency of safeguards to control identified risks.
Translation: Conduct an annual risk assessment. Try to break in and steal your data. If you can do it, so can cybercriminals. An expert IT partner can help you leave no stone unturned so that you fix gaps or issues before a criminal can find and exploit them.
4.Train employees in security program practices and procedures.
Translation: Set up a regular schedule for cybersecurity awareness training (monthly is best!) and make sure everyone participates. Follow up with quizzes and ongoing conversations to ensure users are meeting learning goals.
5.Select service providers that maintain appropriate safeguards and require those safeguards by contract.
Translation: Only do business with vendors, suppliers, partners, and even customers who are SHIELD-compliant, and put that requirement in writing. Remember, someone is always left holding the bag in a crisis. Don’t accept anyone else’s cybersecurity risk.
6.Adjust your security program due to business changes or new circumstances.
Translation: An information security plan is not a one-and-done task on your list. It’s a living document that needs regular review and revision. Use your cybersecurity plan daily to protect your business’ interests.
7.Assess risks in network and software design.
Translation: Figure out how and where your corporate internet, files, and applications are fragile, vulnerable, or threatened before the criminals do. You care about who has access, how that access is validated, and what access allows each user to do.
8.Assess risks in information processing, transmission, and storage.
Translation: Consider where things could go wrong as you work with, share, and save data. Do you regularly email protected data? Encrypt those emails. Save your active work files into restricted folders instead of to your desktop. Ensure you save backups in a secure format and location.
9.Detect, prevent, and respond to attacks or system failures.
Translation: Install defensive architecture (like firewalls, anti-virus/anti-malware, and email spam filters), review logs and alerts, and take immediate action on issues. If possible, install a real-time security information and event management system (“SIEM” software is proactive!). If the budget doesn’t allow for SIEM, upgrade your firewall to include intrusion detection to give you as much information about attacks and failures as possible.
10.Regularly test the effectiveness of critical controls.
Translation: Stage a mock disaster or breach event and see if your team can follow cybersecurity procedures in a timely and complete way. Table tests are like fire drills; they help you determine if you’ve documented all the essential steps so that everyone knows what to do in a crisis. Don’t forget to review access controls each quarter to make sure that only those who should have access do have access.
11.Assess the risks of information storage and disposal.
Translation: Write a policy that explains how you’ll safeguard your physical equipment (like computers, laptops, and servers) throughout their lifecycle from procurement to recycling.
12.Detect, prevent, and respond to intrusions.
Translation: Not all intrusions happen after hours by thieves wearing masks. Your physical security policy should address how you’ll avoid the deliberate or accidental access to unauthorized areas by employees, vendors, or strangers at best; or deal with that access at worse.
13.Prevent unauthorized access to (or use of) private information during or after its collection, transportation, and destruction or disposal.
Translation: Keep your protected data safe, no matter what. Put the server that houses your applications and backups in a locked room. Make sure it has a screen timeout and is password protected. When it’s time to upgrade your hardware, shred your old hard drives.
14.Dispose of private information within a reasonable amount of time by erasing electronic media so that data cannot be read or reconstructed.
Translation: If you no longer need data for business purposes, shred the drive. Don’t hang on to protected information for decades. Don’t leave old computers in the storage room. Keep what you need to meet the obligations of your daily business and industry and no more.
As an SMB, do you need to take NY SHIELD seriously? The short answer is, YES. Your compliance – or lack thereof – will only be a factor in the case of breach when the full weight of SHIELD’s penalties will come to bear.
NY SHIELD is good for New York businesses, and it’s smart for your business. Each item in the regulation reflects best practices. You determine how best to comply based on your budget, your industry, the types of data you touch, and your risk tolerance.
We get it. But before you write off NY SHIELD as a problem for another day, watch this video.
Five Reasons Why You Can't Afford to
"Not Care" about NY SHIELD
At SynchroNet, we take our role as trainers seriously. As WNY’s favorite expert IT partner, we’re here to help SMBs just like you understand what regulations mean for your business. If you’d like more information (and a few laughs) about NY SHIELD, check out our free six-video series, the NY SHIELD Crash Course.