In a New York State of Mind with the NY SHIELD Act
As Frank Sinatra and Jay-Z both sang, “if I can make it here then I can make it anywhere.” Those lyrics hold especially true for businesses that process the private information of any New York state resident.
The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act – passed in July 2019 – expands the scope of New York State’s data breach notification law to include:
- An expanded definition on what’s considered “personal information”
- New prescriptive measures on how to adequately protect that data
- An extra-territoriality dimension
For a state with a population of over 20 million, the law now applies to any person or business that processes the information of a New York resident regardless of whether that organization actually conducts business in New York.
New York’s data breach law originally defined covered Personal Information (PI) as “any information concerning a natural person, which, because of name, number, personal mark or other identifier, can be used to identify such natural person.”
The SHIELD Act effectively broadened that definition of what is considered “Private Information”: including data elements such as Social Security number; driver’s license number or non-driver ID card; biometric information; account number; credit or debit card number in combination with a security or passcode.
Making a brand new start (for protecting data)
How can organizations achieve compliance with the NY Shield act? They need visibility into the data that should be protected under the new requirements – and the ability to determine whose data it is. In addition, covered organizations need to be able to distinguish between employees and customers, not least because organizations will hold different types of data for both.
The first step in this process is knowing your data. Without knowledge of whose data has been impacted, operationalizing the data breach notification process for even unauthorized access is a daunting prospect.
The ability to accurately inventory an organization’s data holdings – and put into context the expanded definition of what constitutes personal information – are fundamental to establishing what controls are implemented and maintained to minimize the impact of a data breach.
Security Please!
The next step in the enforcement of the SHIELD Act is now here – the “reasonable security requirements” provision has gone into effect: businesses that process New York residents’ personal information must now legally develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that data.
The new reasonable security requirements under Section 899-bb of the General Business Law include administrative, technical and physical safeguards: this includes prescriptive measures such as conducting risk assessments, employee training sessions, due diligence on vendor contracts, and timely data disposal.
Failure to implement these requirements could result in civil penalties of up to $5,000 for each violation by the business and individual employees. And if these failures lead to a data security incident, the monetary penalties could be significant.
Eight million stories out there (and their personal information)
Financial organizations subject to the Gramm-Leach Bliley Act (GLBA), and healthcare organizations subject to the Health Insurance Portability & Accountability Act (HIPAA) may already be prepared as these federal statutes have security and privacy provisions on how to handle personal information. However, these organizations will still have to account for data under the SHIELD Act’s expanded definition of personal information.
For everyone else – aka the many (many) companies that fall within the scope of the SHIELD Act – they will need to rethink their security posture and how they manage their data holdings.
This is where BigID comes in. Understanding the broadened definition of what constitutes personal information under the Act is crucial to ensuring that appropriate steps are taken to protect the information. Organizations need to be able to:
- determine who is a resident of New York state;
- automate their knowledge of where the New York state residents’ data is stored; and
- accurately determine how identifiers like account number, passwords and biometric data relate to that individual.
BigID is designed to automate the process of building an inventory of personal information by applying machine learning techniques that can determine residency, accurately classify identifiers and establish how those identifiers are correlated to individuals. In addition, inventorying personal data can facilitate a more streamlined approach to the breach notification process in the event of an incident, since BigID maintains insights into where data resides, whose data it is, and what identifiers are stored on a data source that could be the target of unauthorized access.
Ultimately, it’s up to all organizations to protect and secure their data holdings. And for anyone that is specifically covered by the SHIELD Act, as Taylor Swift wisely crooned, “Welcome to New York.”