New York SHIELD Act and NYDFS
The New York SHIELD Act establishes a comprehensive regime for sensitive data protection and breach
notification for New York state residents, while the NYDFS cybersecurity regulations impose a holistic
cybersecurity program for financial institutions operating in the state of New York.
What is SHIELD Act and what does it mean for your business?
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, also referred to as the NY Senate Bill S5575B, signed into the state law on July 25, 2019, amends the New York’s 2005 Information Security Breach and Notification Act. The latter is composed of the Section 208 of the NY State Technology Law (STT) and the Section 899-AA of the NY General Business Law (GBS), that created foundational data breach notification rules in the New York state.
ImmuniWeb can help you comply with SHIELD Act and NYDFS cybersecurity and data protection requirements. Learn more
The Act offers a solid protection to “private information” that is broadly defined as personal information (defined by the statute as “any information concerning a natural person which can be used to identify such natural person”) in combination with social security number, driver’s license number, account number, debit or credit card number, or biometric information. Username or email address in combination with password or secret question are also considered private information. Public records are exempted from the definition of private information under the SHIELD Act.
The SHIELD Act mandates any person or business, that maintains private information of New York residents, to adopt robust administrative, technical and physical safeguards to protect this information. Covered entities, already compliant with the HIPAA, GLBA or NYDFS information security requirements, are considered compliant with the data protection provisions of the SHIELD Act.
Akin to GDPR, the SHIELD Act applies extraterritorially and covers “any person or business that owns or licenses computerized data which involves private information” of the New York state residents. Hence, the Act applies to all companies and organizations, that handle private data of New York residents, regardless of their geographical location, country of domiciliation or size. There are, however, minor exceptions for the data protection obligations for small business, for instance, for companies that employ less than 50 people. The foregoing exemptions do not apply for data breach notification duties under the SHIELD Act.
Under the Act, the NY Attorney General (AG) is empowered to bring an action to enjoin violations of the Act and to obtain civil penalties up to 5,000 USD per violation.
What are the NYDFS cybersecurity regulations and what do they mean for your business?
New York Department of Financial Services (NYDFS) is a state regulator for a wide spectrum of financial institutions and financial service companies from the state or foreign institutions licensed to do business in the New York state. The regulated entities include banks and trust companies, budget planners, charitable foundations, health and life insurance companies, check cashers, consumer credit reporting agencies, mortgage loan servicers and credit unions.
With the release of the NYDFS cybersecurity regulations (23 NYCRR 500) that became effective on February 18, 2018, the NYDFS has persuasively demonstrated that it takes cybersecurity matters with the highest degree of care. The regulations create a comprehensive cybersecurity and data protection framework that is mandatory for all covered entities and their suppliers. Narrow exceptions for certain provisions of the NYDFS cybersecurity regulations exist for small business, for example, for covered entities with fewer than 10 employees (including independent contractors) there is no binding obligation to employ a full-time CISO.
Furthermore, the NYDFS cybersecurity regulations require to have a detailed incident response plan and impose mandatory reporting of cybersecurity incidents and breaches.
What are the cybersecurity requirements under the SHIELD Act?
The SHIELD Act imposes risk-based approach to preserve confidentiality, integrity and availability of the private information by establishing a multifaceted data security program that, among other things, includes:
- Identification of risks and threats via regular risk assessments.
- Auditing of the existing security controls for adequacy, sufficiency and efficiency.
- Selection of vendors capable to maintain the same requirements of data protection.
- Ongoing security training of employees.
Technical controls, expressly imposed by the Act, oblige covered entities to continuously:
- Assess risks in network and software design.
- Assess risks in information processing, transmission and storage.
- Detect, prevent and respond to attacks or system failures.
- Tests and monitor the effectiveness of key controls, systems and procedures.
Unsurprisingly, the SHIELD Act also addresses physical security, secure data transportation and disposal that would ensure that destroyed private information cannot be recovered.
What are the cybersecurity requirements under the NYDFS regulations?
The NYDFS cybersecurity regulations mandate each covered entity to establish a cybersecurity policy to preserve confidentiality, integrity and availability of its information systems (NYCRR 500.02 “Cybersecurity Program”). Differently to the SHIELD Act, that grants protection only to private information of individuals, the NYDFS regulations impose a holistic protection virtually for all digital systems and data they process, ranging from mobile devices to external cloud storage.
All covered entities must possess regularly updated information security policies, approved by a senior manager or the board of directors to address, among other things, data governance and information classification, asset inventory, business continuity and disaster recovery planning, and customer data privacy (NYCRR 500.03 “Cybersecurity Policy”). Furthermore, covered entities are required to appoint a Chief Information Security Officer (CISO) tasked to maintain the cybersecurity program and report directly to the board at least annually.
A special attention is given to regular penetration testing and continuous vulnerability scanning (NYCRR 500.03 “Penetration Testing and Vulnerability Assessments”) that include:
- Annual penetration testing of the covered entity’s information systems each year based on identified risks in accordance with the risk assessment; and
- Bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the covered entity’s information systems based on the risk assessment.
Application security and resilience are also to be handled with special care by usage of secure development practices for in-house developed applications, enhanced with procedures for evaluating, assessing and testing security of externally developed applications (NYCRR 500.08 “Application Security”).
Other cybersecurity requirements include ongoing security training of personnel, usage of multifactor authentication and strong encryption. All covered entities must make an annual filing to the NYDFS Superintendent confirming that the entity complies with the data protection and cybersecurity requirements. The filing can be done online via the NYDFS Cybersecurity Portal.
ImmuniWeb can help you comply with SHIELD Act and NYDFS cybersecurity and data protection requirements. Learn more
What are the data breach notification requirements under the SHIELD Act?
The SHIELD Act considerably expanded data breach notification duties that had previously existed in the New York state under the Information Security Breach and Notification Act of 2005.
The definition of a “data breach” under the Act was likewise expanded to cover both unauthorized access and unauthorized acquisition of any private information, while in the past notification was only required when the private information was unlawfully acquired (i.e. stolen). Moreover, the scope of the “private data” was greatly enlarged by the SHIELD Act thereby transforming many quiet security incidents into reportable data breaches. There are some narrow exemptions for low-risk data breaches affecting less than 500 individuals, but they are to be applied with high prudence and care.
Differently from the European GDPR or Singaporean PDPA, the SHIELD Act does not impose a specific number of days to notify the aggrieved individuals but rather mandates the notification “in the most expedient time possible.” The breach notification must be made in writing and describe the incident, compromised data, reasonably foreseeable risks and contact details of the compromised entity. The breached entity must also notify consumer reporting agencies, such as Equifax, if more than 5,000 New York residents are affected by the breach.
After notifying the victims, the Act also requires a notice to the office of New York Attorney General (NYAG), New York Department of State and the New York State Police. To facilitate the process, the NYAG provides a web portal for data breach reporting: a notification reported via the portal is automatically sent to all three entities and is deemed sufficient.
What are the data breach notification requirements under the NYDFS cybersecurity regulations?
Covered entities must report security incident to the NYDFS Superintendent as soon as possible but no later than in 72 hours since detention (NYCRR 500.1 “Notices to Superintendent”) when the incident causes, or is likely to cause, any material harm to normal operations of the covered entity.
What are the supply chain security requirements under the SHIELD Act?
The Act expressly requires selection of vendors and third-party suppliers with care. It imposes a duty upon the covered entities to “select service providers capable of maintaining appropriate safeguards” and to “require those safeguards by contract” as a part of the SHIELD Act’s technical safeguards.
From a practical viewpoint, it means that a SHIELD-covered entity will likely be accountable and legally liable for any omissions or deficient cybersecurity practices of third parties that process private information of New York residents on their behalf.
What are the supply chain security requirements under the NYDFS cybersecurity regulations?
An entire section of the NYDFS cybersecurity regulations is dedicated to third-party risk management and supply chain attacks mitigation (NYCRR 500.1 “Third Party Service Provider Security Policy”).
All covered financial institutions must develop and maintain a written policy to address third-party risks, which shall be available to their third parties. The policy must establish a clear set of minimum supplier’s cybersecurity practices requisite to do business with covered entity, elaborate due-diligence process used to evaluate efficiency and adequacy of the cybersecurity practices of suppliers, and describe the process of periodic assessments and audits of suppliers and third parties.
Additionally, the policy needs to define specific contractual clauses to impose data protection and cybersecurity duties upon third parties, at least of the same quality and comprehensibility level as required under the NYDFS cybersecurity regulations. Contractual clauses, among other things, shall include mandatory data breach notification to the covered entity when a supplier or vendor experiences a security incident that implicates covered entity’s data.