SHIELDing Private Information

April 22, 2020

By Nina Kelleher and Jonathan Bradley

download

While most organizations have shifted operations and are adjusting to working with a remote workforce to survive the COVID-19 pandemic, New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) marched forward and went into effect on March 21, 2020 as planned. 

What exactly is the SHIELD Act?  The SHIELD Act requires “any person or business which owns or licenses computerized data which includes private information of a resident of New York” to implement and maintain “reasonable safeguards” to protect the confidentiality, integrity and security of their private data and its destruction.  The SHIELD Act does this through expanding the following:

  • Prior regulations governing data security and breach notification requirements;
  • Organizations required to comply;
  • Definition of data breach to include an unauthorized access to the information covered; and
  • Scope of data that constitutes as private information.

You May Need To Comply and Not Know It

Though this is a NY law, organizations not located in NY should assess if they are required to comply with the SHIELD Act.  The SHIELD Act is broad and extends to any organization that has personal information of NY residents.  Meaning, the SHIELD Act applies even if the organization is not located in NY yet it maintains private information of a single NY resident, which includes not only its customers but also its employees.  However, it is worth mentioning that the law provides some flexibility for data security reasonableness to be tailored to the size of the organization, complexity of operations, and sensitivity of the data it collects.  For example, a small, retail financial firm is expected to have far more robust data security controls than a commercial construction company of similar size. 

You May Already Comply and Not Know It

The good news is the SHIELD Act outlines that organizations are automatically “deemed to be in compliance” with the SHIELD Act’s “reasonableness” standard if they are already in compliance with any of the following regulations:

  • The federal Gramm-Leach-Bliley Act (GLBA), which is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
  • Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH); regulations protecting the privacy and security of certain health information.
  • New York Department of Financial Services (NYDFS) Cybersecurity Regulation; or
  • “Any other data security rules and regulations” of the federal or New York State government.

How to Comply

A security program with “reasonable” safeguards has elements that include, but are not limited to, the following:

  • An employee to manage the security program;
  • Identification of reasonably foreseeable external and internal risks, with efficient safeguards in place to manage the identified risks;
  • Effective security awareness training;
  • Adequate detection, prevention, and response processes for attacks or system failures;
  • Scheduled tests and monitoring the effectiveness of key controls, systems and procedures; and
  • Encryption of private information during or after the gathering, transmission, and destruction of the data.

With cyber attacks on the rise since the COVID-19 outbreak and SHIELD Act fines of $250,000 per incident, now is a good time for organizations to revisit their data security programs and refresh accordingly to ensure they are in compliance with the requirements of the SHIELD Act. 


PRTS Intelligence Newsletter - Q2 2020

About Nina Kelleher

Nina Kelleher is a Director specializing in Process, Risk, and Technology Solutions (PRTS) with expertise includes planning, executing and leading audits, conducting risk assessments and completing financial statement due diligence.