In early November, New York Attorney General Eric T. Schneiderman announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD). This proposed bill (S6933) is sited as the “New York Data Security Act”. The amendment:
- Updates existing law terms
- Addresses gaps in the existing New York State data security statute
- Includes a safe-harbor provision, which adds a layer of protection to companies that hold NYS data security certification
Any organization that maintains the private data of NYS residents is required to establish specific administrative, technical, and physical safeguards.
|Administrative safeguards||Technical safeguards||Physical safeguards|
|Identifying risks (internal and external)||Assessing software and network design risks||Assessing information storage and disposal risks|
|Providing cybersecurity training and awareness||Evaluating information processing, transmission, and storage risks||Detecting, preventing, and responding to intrusions|
|Conducting information security audits||Discovering, preventing, and responding to cyber incidents||Safeguarding against unauthorized users’ access to information and physical location|
SHIELD provides safe harbor to certified compliant entities
SHIELD defines “certified compliant entities” as any organization that observes and yields to federal or NYS cybersecurity laws, e.g. the NYDFS Cybersecurity Regulation or the Health Insurance Portability and Accountability Act.
These organizations will most likely have an ISO 27001- and/or NIST 800-5-accredited information security management system (ISMS) in place that is certified by an authorized third-party organization. If the company holds independent certification with the ISO and/or NIST standards, it should receive safe harbor.
Certified compliant entities will receive immunity from specific state enforcement actions, even if they violate certain statutes. However, if an organization demonstrates willful misconduct, actions of bad faith, or gross negligence, it will be held accountable and not benefit from safe harbor.
How to gain protection under safe harbor
In order to take advantage of SHIELD’s safe harbor provision, an organization must ensure it has an adequate, certified information security framework in place. There are a few frameworks that will help your organization to establish safe harbor, including ISO 27001.
Although implementing an ISMS is an investment of time and resources, safe harbor helps to mitigate risks, alleviate costs, and reduce the chance of attorney general enforcement litigation.
Ensure your organization complies with SHIELD
SHIELD is scheduled to take effect on January 1, 2018 with reporting due 120 days from that date on May 1, 2018. With safe harbor a major incentive, every organization affected by SHIELD – or any other state or federal cybersecurity regulation – should implement an ISO 27001-accredited ISMS.
ISO 27001 is the international standard that defines best practice for an ISMS. An ISMS that conforms to ISO 27001 will help an organization strengthen its security efforts, mitigate data breach risk, and become more efficient. Specific outcomes from enlisting ISO 27001 for your ISMS include:
- Protecting your reputation
- Meeting client cybersecurity needs
- Avoiding fines and financial penalties
- Meeting international data security laws
To learn more about the New York Act (SS6933), visit our information page >>