New York Data Security Act
In November 2017, New York Attorney General Eric T. Schneiderman announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD). This proposed bill (S6933) is referred to as the ‘New York Data Security Act’.
The SHIELD Bill has recently been introduced into the legislature in New York as a program bill and amendment to the state’s existing data security statute.
SHIELD’s aim is to protect New Yorkers’ personal information from a growing number of data breaches, and to ensure they are notified when such breaches occur.
Achieve immunity with ISO 27001 certification
SHIELD would create a safe harbor under which organizations compliant with ISO 27001 (and supported by the best-practice guidelines contained in ISO 27002) or NIST 800-53 would not be subject to prosecution by the Attorney General unless there is evidence of “willful misconduct, bad faith, or gross negligence”.
Find out more about ISO 27001 and ISO 27002 >>
Want to know more about ISO 27001?
Get your organization started with ISO 27001 certification today. Get in touch with one of experts for more information
The key changes proposed by the SHIELD Bill
Under SHIELD, organizations will have a legal responsibility to handle the sensitive data of New York residents in keeping with administrative, technical, and physical safeguards.
- Designating employees to coordinate a security program
- Identifying internal and external risks
- Assessing the sufficiency of safeguards to control risks
- Training employees in security practices
- Selecting capable service providers
- Adjusting the security program with changes in the business
- Assessing risks in software and network design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to incidents or system failure
- Testing and monitoring systems, controls, and procedures
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access or use of private information
- Reasonably disposing of private information after it is no longer needed
Who will the SHIELD Act apply to?
The SHIELD Act will apply to all companies handling the sensitive personal data of New York residents, whether they do business in New York or not.
Penalties under SHIELD
Failure to comply with the legislation could result in a civil suit and penalties under the General Business Law of up to $5,000 per violation or $20 per instance of failed notification, up to a maximum of $250,000.
Speak to an expert
IT Governance has the information security expertise to help organizations achieve compliance with the international information security standard, ISO 27001, and it companion guidance, ISO 27002. Please contact our ISO 27001 team for advice and guidance on our products and services.