New York SHIELD Act and NYDFS
The New York SHIELD Act establishes a comprehensive regime for sensitive data protection and breach
notification for New York State residents, while the NYDFS Cybersecurity Regulation imposes a holistic
cybersecurity program for financial institutions operating in the state of New York.
What is the SHIELD Act and what does it mean for your business?
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, also referred to as the NY Senate Bill S5575B, signed into New York State law on July 25, 2019, amended the state’s 2005 Information Security Breach and Notification Act. The latter is composed of Section 208 of the NY State Technology Law (STT) and Section 899-AA of the NY General Business Law (GBS), that created foundational data breach notification rules in New York State.
ImmuniWeb can help you comply with SHIELD Act and NYDFS cybersecurity and data protection requirements. How We Help
The SHIELD Act offers substantial protection in respect of “private information” that is broadly defined as any personal information concerning a natural person in combination with any one or more of the following data elements in combination any required security code:
- social security number
- driver’s license number
- account number
- biometric information
- username or email address along with password credentials
Public records are exempted from the definition of “private information” under the SHIELD Act.
The SHIELD Act mandates any person or business that maintains private information of New York residents to adopt robust administrative, technical and physical safeguards to protect this information. Covered entities which are already compliant with the HIPAA, GLBA or NYDFS information security requirements are considered to be compliant with the data protection provisions of the SHIELD Act.
Akin to GDPR, the SHIELD Act applies extraterritorially and covers “any person or business that owns or licenses computerized data which involves private information” of New York State residents. Therefore the Act applies to all companies and organizations that handle private data of New York State residents, regardless of their geographical location or country of domiciliation. There are minor exemptions for SMEs which employ fewer than 50 people, but these do not apply in respect of data breach notification duties under the SHIELD Act.
The NY Attorney General (AG) is able to bring actions in respect of any violations of the SHIELD Act and can seek civil penalties of up to 5,000 USD per violation.
What are the NYDFS cybersecurity regulations and what do they mean for your business?
The New York Department of Financial Services (NYDFS) is responsible for regulating a wide spectrum of financial institutions and financial service companies operating in New York State, including:
- banks and trust companies;
- budget planners;
- charitable foundations;
- health and life insurance companies;
- check cashers;
- consumer credit reporting agencies;
- mortgage loan servicers; and
- credit unions.
The NYDFS Cybersecurity Regulation (23 NYCRR 500),as amended in 2022, demonstrates the commitment of the NYDFS to ensuring its covered entities adhere to robust cybersecurity standards. The Cybersecurity Regulation creates a comprehensive cybersecurity and data protection framework that must be followed by all covered entities and their suppliers. There are narrow exemptions for covered entities with fewer than 10 employees (including independent contractors).
Amongst other things, the NYDFS Cybersecurity Regulation requires covered entities to have a detailed incident response plan, and it imposes mandatory reporting of cybersecurity incidents and breaches.
In May 2023 NYDFS reached a settlement worth 4.25 million USD in respect of violations of the Regulation by OneMain Financial Group LLC - namely the failure to “effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.”
Separately from the Regulation, New York State published a Cybersecurity Strategy in August 2023. One of the pillars of the strategy is to “regulate critical industries” which include the financial sector and energy sector.
What are the cybersecurity requirements under the SHIELD Act?
The SHIELD Act imposes a risk-based approach to preserve the confidentiality, integrity and availability of private information, by establishing a multifaceted data security program that includes:
- Identification of risks and threats via regular risk assessments;
- Auditing of existing security controls for adequacy, sufficiency and efficiency;
- Selection of vendors capable of maintaining data protection requirements; and
- Ongoing security training of employees.
Technical controls, expressly imposed by the Act, oblige covered entities to continuously:
- Assess risks in network and software design;
- Assess risks in information processing, transmission and storage;
- Detect, prevent and respond to attacks or system failures; and
- Test and monitor the effectiveness of key controls, systems and procedures.
Unsurprisingly, the SHIELD Act also addresses physical security, secure data transportation, and disposal procedures which ensure that any destroyed private information cannot be recovered.
What are the cybersecurity requirements under the NYDFS Regulation?
The NYDFS Cybersecurity Regulation mandates each covered entity to establish a cybersecurity policy to preserve the confidentiality, integrity and availability of its information systems (NYCRR 500.02 “Cybersecurity Program”). In contrast to the SHIELD Act, which grants protection only to the private information of individuals, the NYDFS Regulation imposes comprehensive protection for data processed by nearly all digital systems, ranging from mobile devices to external cloud storage.
All covered entities must keep regularly updated information security policies, approved by a senior manager or the board of directors, covering matters such as: data governance and information classification, asset inventory, business continuity and disaster recovery planning, and customer data privacy (NYCRR 500.03 “Cybersecurity Policy”). Furthermore, covered entities are required to appoint a Chief Information Security Officer (CISO) tasked with maintaining the cybersecurity program and reporting directly to the board at least annually.
Special attention is given to regular penetration testing and continuous vulnerability scanning (NYCRR 500.03 “Penetration Testing and Vulnerability Assessments”) and includes:
- Annual penetration testing of the covered entity’s information systems based on identified risks, in accordance with the risk assessment; and
- Bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the covered entity’s information systems based on the risk assessment.
Application security and resilience are also to be handled with special care by usage of secure development practices for in-house developed applications, enhanced with procedures for evaluating, assessing and testing security of externally developed applications (NYCRR 500.08 “Application Security”).
Other cybersecurity requirements include ongoing security training of personnel, usage of multifactor authentication and strong encryption. All covered entities must make an annual filing to the NYDFS Superintendent confirming that the entity complies with the data protection and cybersecurity requirements. The filing can be done online via the NYDFS Cybersecurity Portal.
A forthcoming amendment to the Regulation will introduce several new requirements, including:
- Class A companies - a new category of “Class A” companies will be created, namely those with at least 20 million USD in gross annual revenue during each of the last two years from operations in New York and either (i) 2,000 employees over the last two years on average OR (ii) over 1 billion USD in gross annual revenue in each of the last two fiscal years from all business operations. Class A companies will be subject to enhanced requirements.
- Multi-factor Authentication - systems of covered entities will need to deploy multi-factor authentication for any remote access.
- Incident response plans - these will need to include a “root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.”
It is understood that this amendment will not take effect until at least February 2024.
ImmuniWeb can help you comply with SHIELD Act and NYDFS cybersecurity and data protection requirements. How We Help
What are the data breach notification requirements under the SHIELD Act?
The SHIELD Act considerably expanded data breach notification duties that had previously existed in New York State under the Information Security Breach and Notification Act of 2005.
The definition of a “data breach” was also expanded to cover both unauthorized access and unauthorized acquisition of any private information (previously notification was only required when private information had been unlawfully acquired, i.e. stolen). Moreover, the scope of the “private data” was greatly enlarged by the SHIELD Act, thereby transforming many quiet security incidents into reportable data breaches. There are some narrow exemptions for low-risk data breaches affecting less than 500 individuals, but they are to be applied with great care.
In contrast to the European GDPR or Singaporean PDPA, the SHIELD Act does not impose a specific number of days to notify the aggrieved individuals, but rather mandates notification “in the most expedient time possible.” Notification must be made in writing and should describe the incident, compromised data, reasonably foreseeable risks and contact details of the compromised entity. The breached entity must also notify consumer reporting agencies, such as Equifax, if more than 5,000 New York State residents are affected by the breach.
After notifying the victims, the Act also requires notification of the New York Attorney General (NYAG), New York Department of State and the New York State Police. To facilitate the process, the NYAG provides a web portal for data breach reporting: notifications made via the portal are automatically sent to all three entities and deemed sufficient.
What are the data breach notification requirements under the NYDFS Cybersecurity Regulation?
Covered entities must report security incidents to the NYDFS Superintendent as soon as possible but no later than in 72 hours since detention (NYCRR 500.1 “Notices to Superintendent”) when the incident causes, or is likely to cause, any material harm to normal operations of the covered entity.
The aforementioned forthcoming amendment to the Regulation will introduce further notification requirements, including in the case of:
- cybersecurity events where an unauthorized user has gained access to a privileged account;
- cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity’s information system;
- cybersecurity events that occur at an affiliate or third-party service provider.
What are the supply chain security requirements under the SHIELD Act?
The Act expressly requires that vendors and third-party suppliers are selected with care. It imposes a duty upon the covered entities to “select service providers capable of maintaining appropriate safeguards” and to “require those safeguards by contract” as a part of the SHIELD Act’s technical safeguards.
From a practical viewpoint, it means that a SHIELD-covered entity will likely be accountable and legally liable for any omissions or deficient cybersecurity practices of third parties that process the private information of New York State residents on their behalf.
What are the supply chain security requirements under the NYDFS Cybersecurity Regulation?
An entire section of the NYDFS Cybersecurity Regulation is dedicated to third-party risk management and supply chain attacks mitigation (NYCRR 500.1 “Third Party Service Provider Security Policy”).
All covered financial institutions must develop and maintain a written policy to address third-party risks, which shall be available to their third parties. The policy must:
- establish a clear set of minimum cybersecurity standards which suppliers must have have in order to do business with the covered entity;
- explain the due-diligence process used to evaluate efficiency and adequacy of the cybersecurity practices of suppliers; and
- describe the process of periodic assessments and audits of suppliers and third parties.
Additionally, the policy needs to define specific contractual clauses which impose data protection and cybersecurity duties upon third parties, which meet the standards required by the NYDFS Cybersecurity Regulation. For example, clauses should include mandatory data breach notification to the covered entity when a supplier or vendor experiences a security incident which impacts the entity’s data.