New York SHIELD Act Now Requires Your Compliance

If you’re already complying with the principles of GDPR, HIPPA etc. then you’re probably already ok to operate in NY state. Worth checking though…:

[…] The SHIELD Act is meant to protect the following private data concerning New Yorkers:

  • Unencrypted copies of:
    • Social security numbers
    • Driver’s license numbers or non-driver identification card numbers
    • Account numbers, credit or debit card numbers, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account
    • Account numbers, credit or debit card numbers, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password
    • Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity
    • User names or e-mail addresses in combination with passwords or security questions and answers that would permit access to an online account.

Cybersecurity Program Requirements
Businesses in possession of such data, be it customer data or employee data, must take steps to ensure it is physically and technologically secure and disposed of in a reasonable amount of time and in a safe manner. They must further enact a written cybersecurity program that addresses the following areas:

  • Administrative Safeguards
    • Designating one or more employee responsible for the cybersecurity program
    • Identifying foreseeable internal and external risks
    • Assessing existing safeguards to address identified risks
    • Training and managing employees on practices and procedures to address risk
    • Selecting service providers capable of maintaining appropriate safeguards (and requires those safeguards to be in place in a contract)
    • Adjusting the cybersecurity program to reflect business changes
  • Technical Safeguards
    • Assessing risk in network and software design
    • Assessing risk in information processing, transmission and storage
    • Detecting, preventing and responding to attacks and system failures
    • Regularly testing and monitoring effectiveness of key controls
  • Physical Safeguards
    • Assessing risk of information storage and disposal
    • Detecting, preventing and responding to intrusions
    • Protecting against unauthorized access to or use of private information during collection, transportation and destruction or disposal of information
    • Disposing of private information within a reasonable amount of time, and erasing electronic media so it cannot be read or reconstructed


Read the original article here