What is the New York SHIELD Act?
On 25th July 2019, the New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, making it a state law. This act amends and broadens the coverage of the existing data breach notification law by expanding the definition of:
Covered Entities to include any individual or entity that holds the private information of a New York State resident, regardless of whether that individual or entity does business in the state of New York.
Private Information to include - username or email address in combination with a password or security question; biometric information such as fingerprints, voice print, retina or iris image; account number, credit or debit card number that can be used to access an individual's financial account without additional identifying information.
Data Breach to include unauthorized access to private information regardless of whether that data has been acquired by unauthorized personnel. The data breach notification law would be triggered indications if private information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.
"The SHIELD Act does two things, primarily: It amends New York’s data breach notification statute, General Business Law §899-aa to update its definitions, and also creates a new §899-bb requiring substantive data security controls of any person or business that owns or licenses computerized data including the defined “private information” of a New York resident. In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act also adopts the approach of several states, including Massachusetts, Florida, and Nevada, which purport to extend their jurisdictional reach to any person or business, anywhere in the world, that owns or licenses data concerning a resident of that state. In this regard, New York has converted §899-aa into, and created a new §899-bb that functions as, a possession statute:
If you process computerized private information concerning a New Yorker, you now fall under the statute’s requirements.This change in territorial scope, of course, vastly increases the pool of persons and entities that are subject to possible enforcement under §899-aa, and creates an entirely new ground for enforcement against this increased pool under §899-bb. The statute’s expanded definition of “private information” also increases the likelihood of enforcement."
The SHIELD Act also amends the general business law by adding a new data security protections section 899-bb. This section outlines the compliance requirements for a data security program with “reasonable safeguards” to protect private information. The reasonable safeguards extends to the service providers of the covered entities and the safeguards must be required by contract.
The SHIELD Act’s amendments to the breach notification law take effect on October 23, 2019. And the data security amendments to the general business law take effect on March 21, 2020.
Who Does the Shield Act Apply To?
The SHIELD Act applies to any person or entity, regardless of their location, that owns or licenses computerized data which includes private information of New York State residents.
What Should Businesses Do to Comply?
Organizations that comply with HIPAA, GBLA, NYDFS and other federal or New York State data security regulations are considered compliant with the reasonable safeguards requirements section of the SHIELD Act. The reasonable safeguards include:
Designate one or more employees to coordinate the security program
Identify internal and external risks
Training employees on security program practices
Select service providers capable of maintaining appropriate safeguards and require those by contract
Assess risks in network and software design and in information processing, transmission and storage
Detect, prevent and respond to attacks or system failures
Regularly test and monitor the effectiveness of key features of the security program
Assess risks associated with information storage and disposal.
Detect, prevent and respond to intrusions.
Protect against unauthorized access to or use of private information during or after collection, transportation or destruction of information.
Dispose of private information within a reasonable amount of time
According to the SHIELD Act:
“Small businesses are also subject to the reasonable safeguards requirement; however, safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets”.
What Is the Consequence?
The SHIELD Act does not authorize a private right of action and a class action litigation. But, the Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For reckless and knowing violations courts may impose penalties of the greater of $5000 dollars or up to $20 per instance but no greater than $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation.
How Can Duo Help?
A strong data security program must include an adaptive multi-factor authentication mechanism to safeguard against unauthorized access. Your organization can easily comply with the SHIELD Act and strengthen security posture using Duo. Duo enforces strong access security policies to prevent unauthorized users and devices from gaining access to private information, even when the users’ credentials are compromised.
Multi-Factor Authentication - Duo verifies users’ identities with strong two-factor authentication before granting access to applications that may contain personal information. This protects user identities and ensures that only authorized users are able to access PI/sensitive data.
Device Visibility - Duo provides IT teams with visibility into which corporate-managed and unmanaged devices are accessing company applications and data. This provides organizations with the ability to set security policies to protect their sensitive resources
Trusted Endpoints- Duo checks the security hygiene of devices before granting access, giving complete control over what and who has access to systems storing PI/sensitive data. By leveraging Trusted Endpoints organizations can augment their security posture to ensure that only healthy, trusted devices gain access to sensitive resources and can block unauthorized devices.
Access Policies - Enforcement of strong policies ensures only trusted and authorized users and healthy devices can access critical business applications and the data they store while blocking unauthorized access. By enabling enforcement of access policies at an app level organizations can differentiate critical corporate apps (ex: ERP) from generic work apps (say cafe menu).
Reporting/Audit - Duo’s dashboard and reports enables administrators to monitor authentication attempts and identify suspicious login events in case of compromised credentials. Duo also records comprehensive logs that help businesses demonstrate compliance during audits.
Complying with regulatory requirements helps prevent penalties and fines due to willful violations. More importantly, compliance minimizes risk of a breach. Many organizations choose Duo because of the ease with which they can achieve compliance and improve security posture.
Download this Duo for Compliance datasheet to get an overview on how Duo’s solutions satisfies specific controls.
Sign-up for a free trial to experience the product and see how Duo can satisfy some of the requirements outlined by various data privacy regulations