Note: This article is a continuation from last week’s article regarding the New York SHIELD Act, which goes into effect on March 1, 2020. If you have not read Part I, you can do so here.
In last week’s article, we discussed some major highlights of New York’s SHIELD Act, namely the definitions and terminology within the Act. Today, we’ll outline some of its practical applications—including the most important details for achieving compliance, whether by proxy or through the Act’s detailed regulations.
1. Compliance Proxy
The new section added to the general business law is §899-bb: “Data Security Protections.” It recognizes compliance with the following regulations as a proxy:
- GLB: Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809)
- HIPAA & HITECH: Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164), and the Health Information Technology for Economic and Clinical Health Act
- 23 NYCRR 500: Part 500 of Title 23 of the official compilation of codes, rules and regulations of the state of New York, “Cybersecurity Requirements for Financial Services”
- Any other data security rules and regulations of the federal or New York state government
This is good. If you already comply with HIPAA, for example, you (might) comply with the SHIELD Act.
2. Security Requirements
If your business does not have to comply with any of the aforementioned regulations, this Act provides a list of “reasonable security requirements” that must be implemented and maintained to “protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
An organization will be deemed compliant if a data security program includes the following:
- “Administrative Safeguards”
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances
- “Technical Safeguards”
- assesses risks in network and software design;
- assesses risks in information processing, transmission, and storage
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems, and procedures
- “Physical Safeguards”
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Small organizations (< 50 people, < $3MM gross; <$5MM assets) are also required to comply with the Act by demonstrating reasonable administrative, technical and physical safeguards appropriate for the size and complexity of their business.
The SHIELD Act is applicable to everyone who uses private information of New York residents, regardless of their size or physical location. Even third parties that indirectly use private information are obligated to comply. Organizations may use their compliance with other regulations (e.g. GLB, HIPAA) as proxy, assuming all security’s administrative, technical and physical safeguards are in place.
Note: This article contains general information only, and it is not a professional advice or service. You should not act on this information without consulting a lawyer with expert knowledge of the data protection laws and practices of your state/country.