NY SHIELD Compliance

Strengthen protections against data breaches of New York residents’ private information

The New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act

The NY SHIELD Act — which went into effect in New York on March 21, 2020 — applies to any person or business that owns or licenses computerized data that includes the private information of a New York resident.

NY SHIELD requires these organizations — referred to as “covered businesses” — to implement and maintain reasonable safeguards that protect the security, confidentiality, and integrity of residents’ private information.

Challenges to NY SHIELD Compliance

To achieve and maintain full compliance with NY SHIELD, covered businesses must implement and manage data security programs that incorporate “reasonable” safeguards over New Yorkers’ private information.

These security programs must include administrative, technical, and physical protections across the business.

Are You a “Covered Business”?

Before the NY SHIELD Act, companies were only obligated to provide data breach notifications under New York’s breach notification law — which only covered organizations that conducted business within New York state.

NY SHIELD expanded the scope of “covered businesses” to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York.

Know Your Private Information

A subset of personal information, “private information” is the type of data regulated by NY SHIELD.

Private information includes combinations of username/password info that would permit access to an online account, biometric data, and account or credit card numbers used without other identifying information.

Companies must be able to classify and correlate private information to find relationships between data points.

Reasonable Administrative Safeguards

NY SHIELD’s mandate that covered businesses incorporate “reasonable administrative safeguards,” requires them to:

– designate and train employees to coordinate the security

– identify foreseeable internal and external risks

– assess the sufficiency of safeguards

– use service providers that maintain appropriate safeguards and contractually require those safeguards

– adapt security programs to business changes

Reasonable Technical Safeguards

“Reasonable technical safeguards” under NY SHIELD require organizations to:

– assess risks in network and software design

– assess risks in information processing, transmission, and storage

– prevent, detect, and respond to attacks or system failures

– regularly test and monitor controls, systems, and procedures

Reasonable Physical Safeguards

To maintain “reasonable physical safeguards” regulated by NY SHIELD, businesses must:

– assess risks of information storage and disposal

– prevent, detect, and respond to intrusions

– protect against unauthorized access during or after the
collection, transportation, and destruction of private information

– dispose of private information within a reasonable timeframe after it is no longer needed

Achieve Compliance, Avoid Penalties

Violations to NYSHIELD compliance, which are enforced by the New York Attorney General, may result in a civil penalty of up to $5,000 dollars per violation.

To avoid financial penalties and the reputational damage that violating companies face, companies must automate effective reporting on security controls.

Get A Demo

How BigID Helps with NY SHIELD Compliance

  • Identify and Map All Your Data

    Find and inventory your private information and high-risk data for a clear, comprehensive view of all the data you store and maintain — not just the data you know about.

  • Correlate & Catalog Private Information

    Accurately determine how identifiers like account number, passwords, and biometric data relate to an individual — and view data relationships in a single, catalog view.

  • Reduce Risk

    Prioritize your most high-risk data, flag data flows that pose risk, continuously monitor activity, and speed up breach notifications in the event of an incident.

  • Advanced Machine Learning

    Apply advanced machine learning techniques that can automatically inventory private information down to the individual level — by residency, sensitivity, risk, custom classifiers, and more.

Get a Demo

BigID for NY SHIELD Compliance

  • Discovery-in-Depth

    Discover all private and regulated information that falls under NY SHIELD — wherever it’s stored across the enterprise

  • Next-Gen Data Classification & Correlation

    Take an ML-based approach to automatically classify, tag, and discover relationships among high-risk, regulated data.

  • Data Remediation App

    Remediate sensitive and regulated NY SHIELD data — and manage high-risk data with remediation workflows and audit trails.