21 April 2020
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires all covered entities to implement a "Data Security Program."
Complying with the SHIELD Act's Data Security Program requirement could consume significant time and resources. Businesses must put in place administrative, technical, and physical safeguards across 13 different metrics to safeguard the data of New York residents.
We've prepared some practical advice to help you meet each of the SHIELD Act's Data Security Program requirements.
Which two exceptions, the SHIELD Act requires "any person or business that owns or licenses computerized data which includes private information of a resident of New York [state]" to implement the Act's Data Security Program.
This applies to companies across the entire world, regardless of whether they have any presence in New York or even the United States.
Small businesses are not exempt from the SHIELD Act, but they can implement a reduced Data Security Program if appropriate.
Under the SHIELD Act, a "small business" fulfills one or more of the following characteristics:
A small business only needs to implement a Data Security Program that is "appropriate," considering:
Certain entities that are compliant with other cybersecurity laws are exempt from the Data Security Program requirement of the SHIELD Act.
Your company will be exempt if it complies with one of the following regulations:
The SHIELD Act distinguishes between "personal information" and "private information."
The SHIELD Act defines "personal information" as:
"any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person."
This is a somewhat vague definition. It's important to note that, in addition to a name, number, and "personal mark," personal information includes "other identifier[s]." In certain contexts, identifiers might include an email address, username, or alias.
The SHIELD Act's definition of "private information" is more complex. There are two types of private information, which we're calling "type I" and "type II" private information.
Type I private information comprises a data set that includes personal information plus one or more of the "data elements" listed below:
Account number, credit or debit card number, in combination with:
Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as:
There's one more condition. In order to be considered "private information," the data element or the combination of both the personal information and the data element must be:
In other words, if the information is encrypted, and the encryption key is safe, it's not private information.
Type II private information is:
"a user name or email address in combination with a password or security question and answer that would permit access to an online account."
The SHIELD Act Data Security Program consists of three parts:
Throughout this section, we'll be referring to other cybersecurity and data protection laws that impose similar requirements to the SHIELD Act, namely:
Administrative safeguards include matters such as your risk assessments, policies, procedures, and staff training.
Here's the relevant section of the SHIELD Act, Section 899-BB.2.(b)(ii)(A):
This is the most extensive section of the SHIELD Act Data Security Program.
Let's consider how you can meet each of these requirements.
You must designate one or more employees to coordinate the security program.
The SHIELD Act does not give any specific requirements around who would be an appropriate employee. However, a similar requirement exists under the GDPR, appointing a Data Protection Officer, and Section 164.530(a)(1) of HIPAA (available here).
Where appropriate, an employee responsible for coordinating your Data Security Program should:
You must identify reasonably foreseeable "internal and external risks."
Consider risk assessment as a two-stage process:
To identify potential risks, you must understand how data flows through your business.
Map the data you hold. Consider:
Answer these questions:
For each set of private information, consider:
For more information about data mapping and risk assessment, see our article Conducting a GDPR Data Audit.
You must assess the sufficiency of the safeguards you have put in place in place to control risks.
Administrative safeguards may include:
Consider questions such as:
For more information about creating data safeguarding policies, see our article GDPR Data Protection Policy.
You must train and manage your employees in the practices and procedures of the security program.
It might be appropriate for you to either:
A security training program should make staff aware of topics such as:
Where reasonably possible, you should extend your security training program to all employees, including temporary staff, management, and contractors.
You must select service providers that are capable of maintaining appropriate data security safeguards, and you must impose a contract that requires those safeguards.
You should conduct due diligence on any company with whom you share personal or private information. Consider whether the company is suitably certified, well-established, and legitimate.
Several other privacy laws, such as the GDPR and the CCPA, require a written contract between businesses and their service providers. The SHIELD Act does not specify what this contract should contain.
However, it should normally include at least:
You must adjust your security program in light of changes to your business or new circumstances.
Technical safeguards relate to the technology you use to store, process, and safeguard data.
Here's the relevant section of the SHIELD Act, Section 899-BB.2.(b)(ii)(B):
Let's look at how you can meet each of these requirements.
You must assess risks in the design of your networks and software.
Here are some questions you can ask about your network and software security design:
You must assess risks in the ways in which you process, transmit, and store personal information.
Here are some questions to consider:
You must detect, prevent and respond to attacks or system failures.
Each part of your Data Security Program will help you achieve this. Here are some particularly important measures:
Install centrally-administered anti-malware software on all staff terminals.
Develop a comprehensive Data Breach Policy so that employees know:
You must regularly test and monitor the effectiveness of key controls, systems, and procedures.
Consider hiring a third-party company to run penetration testing on your systems. This will help identify vulnerabilities and backdoors that an attacker could exploit.
Physical safeguards are measures to protect hardware, equipment, and buildings from attacks and hazards.
Here's the relevant section of the SHIELD Act, Section 899-BB.2.(b)(ii)(C):
Let's look at how you can meet each of these requirements.
You must assess risks in how you store and dispose of information.
Consider how you store data. Your business is likely to use one of the following data storage solutions:
Public cloud (Amazon Web Services, Google Cloud,etc.):
Onsite data center/private cloud:
Consider whether your chosen storage solution is appropriate given the nature, scope, and sensitivity of the data that you store.
You must ensure you can detect, prevent, and respond to intrusions.
You must also consider whether any information you store on site is physically accessible to an intruder. Consider measures such as:
Ensure you regularly conduct audits of keys, security passes, and access permissions. Always retrieve keys and passes from employees and contractors who leave your company.
Set workstations to automatically log off if left unattended. Do not allow employees to alter this setting (or other important security settings).
You must protect against unauthorized access to, or use of, private information, during or after the point at which it is:
Sensitive private information should be encrypted at all stages of collection, transportation, and deletion.
Consider using a Virtual Private Network (VPN) when transporting/transmitting data between locations.
You must dispose of private information within a reasonable amount of time after it is no longer needed for business purposes. You must do this by erasing electronic media so that the information cannot be read or reconstructed.
Consider creating a Data Retention Policy to formalize the periods over which you store different types of private information.
When it comes to data disposal, there are several measures that might be appropriate:
Ensure your employees recognize the importance of not disposing of data in the trash (whether stored electronically or on paper). Many data breaches occur when someone finds sensitive information in a dumpster.
Your Data Security Program consists of three main elements:
Reasonable administrative safeguards:
Reasonable technical safeguards:
Reasonable physical safeguards:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.