NY SHIELD Compliance
Strengthen protections against data breaches of New York residents’ private information
The New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act
The NY SHIELD Act — which went into effect in New York on March 21, 2020 — applies to any person or business that owns or licenses computerized data that includes the private information of a New York resident.
NY SHIELD requires these organizations — referred to as “covered businesses” — to implement and maintain reasonable safeguards that protect the security, confidentiality, and integrity of residents’ private information.
Challenges to NY SHIELD Compliance
To achieve and maintain full compliance with NY SHIELD, covered businesses must implement and manage data security programs that incorporate “reasonable” safeguards over New Yorkers’ private information.
These security programs must include administrative, technical, and physical protections across the business.
Are You a “Covered Business”?
Before the NY SHIELD Act, companies were only obligated to provide data breach notifications under New York’s breach notification law — which only covered organizations that conducted business within New York state.
NY SHIELD expanded the scope of “covered businesses” to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York.
Know Your Private Information
A subset of personal information, “private information” is the type of data regulated by NY SHIELD.
Private information includes combinations of username/password info that would permit access to an online account, biometric data, and account or credit card numbers used without other identifying information.
Companies must be able to classify and correlate private information to find relationships between data points.
Reasonable Administrative Safeguards
NY SHIELD’s mandate that covered businesses incorporate “reasonable administrative safeguards,” requires them to:
– designate and train employees to coordinate the security
– identify foreseeable internal and external risks
– assess the sufficiency of safeguards
– use service providers that maintain appropriate safeguards and contractually require those safeguards
– adapt security programs to business changes
Reasonable Technical Safeguards
“Reasonable technical safeguards” under NY SHIELD require organizations to:
– assess risks in network and software design
– assess risks in information processing, transmission, and storage
– prevent, detect, and respond to attacks or system failures
– regularly test and monitor controls, systems, and procedures
Reasonable Physical Safeguards
To maintain “reasonable physical safeguards” regulated by NY SHIELD, businesses must:
– assess risks of information storage and disposal
– prevent, detect, and respond to intrusions
– protect against unauthorized access during or after the
collection, transportation, and destruction of private information
– dispose of private information within a reasonable timeframe after it is no longer needed
Achieve Compliance, Avoid Penalties
Violations to NYSHIELD compliance, which are enforced by the New York Attorney General, may result in a civil penalty of up to $5,000 dollars per violation.
To avoid financial penalties and the reputational damage that violating companies face, companies must automate effective reporting on security controls.
How BigID Helps with NY SHIELD Compliance
Find and inventory your private information and high-risk data for a clear, comprehensive view of all the data you store and maintain — not just the data you know about.
Accurately determine how identifiers like account number, passwords, and biometric data relate to an individual — and view data relationships in a single, catalog view.
Prioritize your most high-risk data, flag data flows that pose risk, continuously monitor activity, and speed up breach notifications in the event of an incident.
Apply advanced machine learning techniques that can automatically inventory private information down to the individual level — by residency, sensitivity, risk, custom classifiers, and more.
BigID for NY SHIELD Compliance
Discover all private and regulated information that falls under NY SHIELD — wherever it’s stored across the enterprise
Take an ML-based approach to automatically classify, tag, and discover relationships among high-risk, regulated data.
Reduce risk on your most sensitive data with risk scores that incorporate data parameters like data type, location, residency, and more.
Remediate sensitive and regulated NY SHIELD data — and manage high-risk data with remediation workflows and audit trails.