Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

Signed into law by the NY State governor on July 25, 2019, the SHIELD Act goes into effect March 21, 2020 and amends the general business law and the state technology law  in relation to notification of a security breach.  The law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

The SHIELD Act requires implementation of an information security program to protect “private information” defined as:

  • any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
  • individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 imposed against an organization and individual employees for “each violation.”

The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

SHIELD Act Reasonable Safeguards:

“Reasonable Safeguards” are categorized as either (1) Administrative, (2) Technical, or (3) Physical.  Partners in Regulatory Compliance can engage with your organization to meet the requirements in the following ways.

SHIELD Act RequirementType of SafeguardOur Service Offering(s)
Designate one of more employees to coordinate the security programAdministrativeN/A
Identify reasonably foreseeable internal & external risks and assess the sufficiency of safeguards in place to control the risksAdministrativeRisk Assessment
Train and manage employees in the security program practices and proceduresAdministrativeCybersecurity Awareness Training
Select Service Provides capable of maintaining appropriate safeguards and require those safeguards by contractAdministrativeThird Party Service Provider Management Policy
Assess risks in network and software designTechnicalRisk Assessment

Network Assessment*

Remediation Work*

Assess risks in information procession, transmission and storageTechnicalRisk Assessment

Network Assessment*

Remediation Work*

Detects, Prevents and Responds to attacks or system failuresTechnicalManaged IT Services*

Incident Response Policy

Incident Response Plan

Firewall, IDS, IPS*

Anti-Virus / Anti Malware*

Regularly tests and monitors the effectiveness of key controlsTechnicalVulnerability Assessment

Penetration Testing

Protects against unauthorized access to or use of private informationPhysicalAccess Control*

Multi-Factor Authentication*

Password Manager*

Encryption*

*Offered through our sister entity, Exigent Technologies.