New York SHIELD Act: Getting Your Organization Ready

On March 24, 2020, the New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act goes into effect. The breach reporting obligations under the SHIELD Act are already in effect, but the proactive steps organizations must take to comply with the act are not effective for about another month. If you are a business that collects personal data on New York residents, it is time to start looking into whether your organization is compliant. 

In a previous post, we examined the SHIELD Act and the key changes it brings to New York. In this post, we ask the question: what do organizations need to consider in order to become compliant? Let’s take this step-by-step. 

STEP ONE: Assess

If you are concerned that the SHIELD Act may apply to your organization, the first step in the process is to determine whether your company is impacted by the Act. The only way to know is to know. 

Many times, companies will ask if they just don’t perform the analysis to know whether they are impacted will they have “plausible deniability”. The answer is no. Ignorance of the law is no excuse. So, if you are not sure whether a certain jurisdiction’s data privacy law applies to your organization, the first step is to find out. 

Keep in mind that many privacy laws have an extraterritorial effect (i.e. the GDPR and CCPA) which means that you don’t have to be physically located in the state or region of the world for the law to apply to you. The SHIELD Act is no exception. It applies to any individual or business that collects private information about New York residents. That means that an organization is not required to actually be a New York business. 

Unlike GDPR, the SHIELD Act does allow for small businesses, i.e. a company that has less than 50 employees and less than $3 million per year in gross revenue, to take into consideration cost when creating its program. However, these small businesses must still implement a “reasonable” security program appropriate for the size and complexity of the business. Also, for businesses that are impacted by other data privacy and security regulations, those laws must also be incorporated into the company’s program.  

Assessments are highly effective tools to determine if a law applies to your company. Assessments can also highlight the good things your organizations are doing. That way, your company has a real understanding of the laws that apply, where your organization is complying with those laws, and where the gaps are located. Knowing those gaps allows you to fill them and reduce liability. This will bring us to the next step in the process: Remediation. 

STEP TWO: Remediate

The SHIELD Act requires any company impacted by the law (previously determined under Step One) to implement and maintain reasonable administrative, physical and technical safeguards. 

Administrative safeguards are actions like policies, and procedures, to manage the selection, development, implementation and maintenance of security (and privacy) measures to protect sensitive data and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. Administrative safeguards under the SHIELD Act include: 

  • conducting risk assessment (ahem, as previously stated), 
  • designating an individual or team responsible for the security program, 
  • training and managing employees in security policies and procedures, and 
  • selecting security providers and require those service providers to adhere to security safeguards included in the contract. 

Administrative safeguards are usually evidence by documentation. They are a way for an organization to establish at least the first stage of compliance. So while the Act does not specifically require written policies and procedures, they are certainly recommended. 

Next are physical safeguards. Physical safeguards are the way an organization prevents physical access to sensitive data. Physical safeguards include the policies, procedures, and processes to assess the risk of information storage and disposal of sensitive data, protecting the physical storage and transportation of sensitive data, and the physical security around the areas where sensitive data is stored. A key component of physical safeguards is the secure destruction of technological assets to ensure that any devices that had access to data are securely wiped and destroyed.

Finally, technical safeguards are required to implement the secure infrastructure. This one may be the most obvious. These are the technical aspects in terms of network design, software design, information processing, transmission and storage. It also includes the processes around regularly testing and monitoring how effective the systems and controls are around the IT infrastructure. Other types of technical safeguards not required by the Act, but certainly recommended (and part of general best practices) are things like using encryption and DLP (data loss prevention) tools. In addition, two-factor authentication is also one of the best things an organization can employ. 

All three of these components should feed into and support an enterprise-wide compliance program. When it comes to demonstrating compliance with the SHIELD Act, or any similar privacy or security regulation, there must be an organized and documented program that can be used to demonstrate the ways in which the company is addressing the administrative, physical and technological safeguards. This does not need to be a million documents. But, it should start with at least a written strategic plan for security and privacy than can grow into a full compliance program over time.  

STEP THREE: Maintain

While not a specific requirement under the Act, having a security compliance program without the ability to maintain it in the long term is the equivalent of not having a compliance program. Besides, as anyone will tell you it is easier to maintain than to start from scratch. So maintenance is key. 

Maintenance should be built into the security program where organizations continually monitor their program for vulnerabilities and improvements. However, be wary of any tool that claims it can maintain (i.e. set it and forget it) a cybersecurity or data privacy program. Maintenance should include a multi-faceted approach that includes security tools along with monitoring and continual assessments to improve the systems. What works, what does not work, and how to make it better are key to any maintenance program. Using techniques like tabletop exercises can be extremely helpful to keeping a program updated and fresh.  

Now is NOT the time to wait!

With March 21st rapidly approaching, covered businesses need to be actively taking steps to ensure that they comply with the NY SHIELD Act. Laws that impact data are here to stay and are only becoming more and more prevalent. So whether it is the SHIELD Act or another regulation, assessing, remediating, and maintaining a data security and privacy program is of paramount importance. 

Let the team at XPAN help your organization. Whether you are in the beginning of  the privacy and security journey (i.e. the assessment) or need to remediate and maintain, XPAN assists organizations of all sizes to address their data privacy and security needs, and to break down a  complex subject into manageable and effective strategies that compliment your business and its growth. Because, when it comes to compliance with new laws, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.