New York Data Security Act
In early November, New York Attorney General Eric T. Schneiderman announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD). This proposed bill (S6933) is referred to as the ‘New York Data Security Act’.
The SHIELD Act has recently been introduced into the legislature in New York as a program bill and amendment to the state’s existing data security statute.
SHIELD’s aim is to protect New Yorkers’ personal information from a growing number of data breaches, and to ensure they are notified when such breaches occur.
Achieve immunity with ISO 27001 certification
SHIELD would create a safe harbor under which organizations compliant with ISO 27001 (and supported by the best-practice guidelines contained in ISO 27002) or NIST 800-53 would not be subject to prosecution by the Attorney General unless there is evidence of “willful misconduct, bad faith, or gross negligence.”
Find out more about ISO 27001 and ISO 27002 >>
The key changes proposed by the SHIELD Act
Under the SHIELD Act, organizations would have a legal responsibility to handle the sensitive data of New York residents in keeping with administrative, technical, and physical safeguards.
The administrative safeguards include:
- Designating employees to coordinate a security program
- Identifying internal and external risks
- Assessing the sufficiency of safeguards to control risks
- Training employees in security practices
- Selecting capable service providers
- Adjusting the security program with changes in the business
The technical safeguards include:
- Assessing risks in software and network design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to incidents or system failure
- Testing and monitoring systems, controls, and procedures
The physical safeguards include:
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access or use of private information
- Reasonably disposing of private information after it is no longer needed
Who does the SHIELD Act apply to?
The SHIELD Act will apply to all companies handling the sensitive personal data of New York residents, whether they do business in New York or not.
Penalties under the SHIELD Act
Failure to comply with the legislation could result in a civil suit and penalties under the General Business Failure of up to $5,000 per violation or $20 per each instance of failed notification, up to a maximum of $250,000.
How IT Governance can help
IT Governance has wide-ranging information security expertise to help organizations achieve compliance with the international information security standard, ISO 27001 (and ISO 27002).
We offer a comprehensive suite of information resources, solutions, and consultancy services.
IMPROVE YOUR DATA SECURITY WITH ISO 27001
Contact us today to discuss your compliance requirements by emailing
firstname.lastname@example.org or calling 877 317 3454.