The landscape of privacy and related legislation in the United States continues to get more interesting. Despite the California Consumer Privacy Act (CCPA) being the talk of the town for privacy and security professionals, New York also put something noteworthy in place, called the “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, in short. Not only is it relatively prescriptive, but it also encompasses cybersecurity obligations that are particularly relevant for security professionals.
The SHIELD Act of New York was signed into law in July and becomes effective on March 21, 2020. It requires businesses that own or license New York residents’ private information to implement and maintain a data security program by requiring data security controls and data breach notification procedures.
Let’s start with a look at what’s needed for addressing the data security program requirements of the SHIELD Act. In general, businesses must put reasonable administrative safeguards in place, starting with the designation of at least one employee as coordinator of the security program, which could correspond to the role of an Information Security officer.
"Reasonably foreseeable risks," both internal and external, must be assessed, and safeguards have to put in place to be in control of the identified risks. Security training and educating employees regarding the security program practices and procedures is mandatory now as well. And, in case of business changes or new circumstances, the security program needs to be adapted.
The next pillar of the SHIELD Act deals with technical safeguards. Called out here are measures for assessing risks in network and software design as well as in the processing, transmission, and storage of information. In order to do so, you must implement respective security controls. Similarly, for detecting, preventing and responding to attacks or system failures, you must put policies and procedures in place, for example, by implementing business continuity and disaster recovery mechanisms or performing regular penetration tests. Of course, you must test the effectiveness of that implementation on a regular basis, which is what the SHIELD Act calls out with the requirements of a regularly testing and monitoring the effectiveness of key controls, systems and procedures.
Physical or not seems to be no question
The third and final pillar of the SHIELD Act is devoted to additional safeguards. The official term “physical,” used in the act for this domain, seems be somewhat misleading in this context, as the items listed there must address much more than just physical safeguard. For example, for assessing the risks of information storage and disposal, physical access controls are just one element, whereas technical barriers such as firewalls, antivirus programs and cloud access brokers (CABs) also must be considered. Likewise, for detecting, preventing and responding to intrusions, which is another provision in the SHIELD Act, physical protection for example in the form of CCTV cameras can only cover a part of the story.
Another requirement that you may want to classify as a physical safeguard could be the implementation of a software-based intrusion detection and prevention system. Such a solution also can be useful as a protection “against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information,” which in the SHIELD Act also falls under the reasonable physical safeguards category.
The final entry in that category (“disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed”) pays attention to the lifecycle of private information. This provision aims for a departure from the usual practice of either keeping data as long as possible in case it might be ever needed again, or not paying attention to it any more at all after usage, resulting in keeping it forever. Both practices increase the risk that the respective information will be hacked and become part of a data breach.
If you are familiar with the (ISC)² Common Body of Knowledge (CBK®)of the Certified Information Systems Security Professional (CISSP) and its eight domains, then this package of measures is no stranger to you. Likewise, if you have experiences with the ISO/IEC 27001:2013 information management systems standard, then you are on a good path for mastering the requirements of these security controls.
Is the New York SHIELD Act a comprehensive law similar to the GDPR (General Data Protection Regulation) of the EU? No, this is not the claim the makers of this law are having. Instead, it contains requirements that security professionals can address, aiming to achieve a better protection of private information and minimizing (the consequences of) data breaches for which they are a part of.
So how does the SHIELD Act compare to the CCPA? If you take a closer look, it’s quite clear that they serve very different purposes. Whereas New York's SHIELD Act aims to stop hacking and increase the level of protection for electronic data, California's CCPA looks for an improvement of consumers' data privacy. There might be some overlaps, but the directions (and paths for them) are clearly different.
Here are some important facts about the New York SHIELD Act, which requires businesses that own or license New York residents’ 'private information' to implement and maintain a data security program that includes (source: Senate Bill S5575B, page 6):
- Reasonable administrative safeguards
- Designating one or more employees to coordinate the security program
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of safeguards in place to control the identified risks
- Training and managing employees in the security program practices and procedures
- Selecting service providers capable of maintaining appropriate safeguards, requiring those safeguards by contract, and
- Adjusting the security program in light of business changes or new circumstances.
- Reasonable technical safeguards
- Assessing risks in network and software design.
- Assessing risks in information processing, transmission and storage.
- Detecting, preventing and responding to attacks or system failures; and
- Regularly testing and monitoring the effectiveness of key controls, systems and procedures.
- Reasonable physical safeguards
- Assessing risks of information storage and disposal.
- Detecting, preventing and responding to intrusions.
- Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.