Identity Governance and Administration Compliance for NY SHIELD Act

Karen Walsh

Karen Walsh


To increase theft prevention for New York State consumers, the legislature enacted the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Referring to the previous data breach notice law as outdated, the new regulatory compliance requirement becomes effective in 2020. Creating a holistic approach to Identity Governance and Administration (IGA) with intelligent analytics can ease the burdens associated with meeting the NY SHIELD Act compliance mandates.

What Is the NY SHIELD Act? – New York Stop Hacks and Improve Electronic Data Security

Senate Bill 5575, more commonly referred to as the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, was enacted on July 25, 2019 as an amendment to the General Business Law and the State Technology Law updating the breach notification requirements to impose stronger obligations on businesses handling private information and personal information in an attempt to mitigate threats that contribute to identity theft.

Section 2 of the bill amends the title of article 39-F of the General Business Law. Section 3 of the bill amends section 899-aa of the General Business Law.

What is Personal Information?

The NY SHIELD Act defines “personal information” as any data about a natural person can be used to identify that individual, including name, number, personal mark, or other identifiers.

How is Personal Information Different From Private Information?

While “personal information” is vague, The NY SHIELD Act defined “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account.

The SHIELD Act defines private information data elements as:

  • Social security number
  • Driver’s license number or non-driver identification card
  • Account number
  • Credit or debit card number in conjunction with:
  • Security code
  • Access code
  • Password
  • Any other information that permits financial account access
  • Account, credit card or debit card number if such number permits financial account access without additional identifying information
  • Biometric information defined as data generated by electronic measurements of an individual’s unique physical characteristics including but not limited to:
    • Fingerprint
    • Voice print
    • Retina or iris scan

What Is The NY SHIELD Act’s Definition of a Data Breach?

The NY SHIELD Act shifts the definition of data breach to “unauthorized access” to personal and private, moving away from “unauthorized acquisition of” data. By focusing on unauthorized access, the law more broadly defines data breach, increasing an organization’s liability.

Who Does The NY SHIELD Act Apply To?

The NY SHIELD Act follows the tradition started with the European Union General Data Protection Regulation (GDPR) establishing the extraterritorial definition of a responsible party as “any person or entity with private information of a New York Resident, not just to those that conduct business in New York State.”

As with many of the other up-and-coming legislative mandates in the United States, the New York legislature is attempting to force organizations into creating data security and privacy safeguards by increasing cybersecurity compliance requirements.

What Is Identity Governance and Administration (IGA)?

Identity Governance (IG) falls under the broader heading of Identity and Access Management (IAM) and involves the orchestration of policy-based user identity management and access controls during the access request and access certification process, also called provisioning, to meet regulatory compliance requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). To comply with the requirements, many organizations choose Identity Governance and Administration (IGA) solutions to help manage user access, including privileged access, that streamline data privacy and security processes.

As organizations increasingly incorporate Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) services, they no longer retain full control over their IT infrastructure. In fact, this lack of control now shifts the perimeter to identity. To create a holistic data privacy and security compliance program, you need to start by creating an IGA program that ensures you know who accesses what resources while controlling how, why, and when they access them.

What Are the NY SHIELD Act Identity Governance and Administration (IGA) Compliance Requirements?

The NY SHIELD Act updates the previous breach notification law security requirements with the language, “require reasonable data security for private information, with a more flexible standard for small businesses, without creating new requirements for entities subject to existing or future regulations by any federal or other New York State government entity.”

As part of “reasonable security”, the NY SHIELD Act requires organizations to :

  • Identify reasonably foreseeable internal and external risks
  • Assess the sufficiency of approved reasonable safeguards in place to control the identified risks
  • Assess risks in information processing, transmission, and storage
  • Protect against unauthorized access to or use of private information during or after the collection, transportation and destruction, or disposal of the information

On a positive note, the regulation provides at least two small caveats:

  1. Individuals cannot sue companies in civil court
    • “no private cause of action” is available
    • All action is taken by the New York State Attorney General
  2. No notification is required if:
    • The access was an “inadvertent disclosure by persons authorized to access private information,” and
    • The responsible party deems that the exposure will not likely result in the misuse of the information or no financial harm to the affected persons will occur

Although this appears to be a sliver of hope in an otherwise overwhelming update, the “persons authorized to access private information” statement focuses on the need to create appropriate access controls that go beyond “access to a data storage, processing, or transmission” location. Not all users authorized to access your systems, software, and networks should have the ability to access all information. This distinction between information access and broader systems, software, and networks access means you need to create detailed access controls that limit to “least privilege” and maintain those controls.

What Is Access Control?

Access control means creating user credentials, maintaining an access management program, and continuously monitoring user access to ensure compliance with the organization’s authorization and authentication control policy. Logical access controls protect data privacy and security by limiting an identity’s access to business systems, networks, and software across on-premises, hybrid, or cloud IT infrastructure using either role-based access controls (RBAC) or attribute-based access controls (ABAC).

What Is Access Control in Computer Networks?

Network access control is a protocol for network security that requires authentication, authorization, endpoint security, access policy enforcement, access management, and identity management to ensure that users and devices accessing computer networks, systems, data, and resources maintain compliance with your security policy.

When the NY SHIELD Act discusses “authorized access,” it refers to a variety of network access controls. For example, an authorized user in your marketing department should be able to access resources such as a shared drive or a marketing tool. However, that same user does not need access to customer financial information. Thus, if you store financial information in a different database than potential sales leads, the marketing department users should only be authorized to one database.

In the healthcare industry, network and resource access needs to be limited so that lab clinicians can only access the information needed to process the lab samples. They do not need access to a patient’s entire electronic medical record (EMR).

In both these examples, the excess access could be considered a data breach under the NY SHIELD Act which is why IGA and Identity and Access Management (IAM) become driving data privacy and security controls.

How Intelligent Analytics Streamline NY SHIELD Act Compliance

Under the NY SHIELD Act, you are responsible for any unauthorized access to information. This update means that you need to create a risk-aware IGA program that enables your users to do their jobs while also limiting their access to “least privilege.” However, as organizations create digital transformation strategies, they find themselves struggling because new technologies increase the number of access points and change the definition of “identity.” Moreover, a complex IT infrastructure may lead to different definitions for roles and groups which makes monitoring access difficult. Automation with intelligent analytics can ease many of the access and identity management burdens facing many organizations.

Managing New Types of Identities

IaaS, PaaS, and SaaS ecosystems incorporate a variety of new non-person identities such as robotic process automation (RPA), Internet of Things (IoT) devices, serverless functions, workloads, containers, and service accounts. An automated tool that enables you to create identities for these types of entities should also enable monitoring to ensure appropriate access controls, such as succession management and segregation of duties (SOD) violations.

Reconciling Identity Definitions

Using intelligent analytics, automation can create a standardized identity warehouse for all identity and access definitions across your ecosystem. These tools compare the definitions provided by various services, then role-mine for similarities so you can create an authoritative source of identity.  Standardized definitions provide visibility into how users access information to help protect from unauthorized access such as privilege misuse.

Enforcing Risk-Aware Policies

The authoritative identity source establishes risk-based, context-aware rules within your automated tool, so you can more easily enforce them to meet NY SHIELD Act compliance. Intelligent analytics compare access requests to policies, then automatically alert you to potential violations. The automated tool can suggest remediation actions to prevent unauthorized access.

Streamlining Provisioning/Deprovisioning

Having an authoritative identity source streamlines the provisioning/deprovisioning process. Using an IGA solution with intelligent analytics can set timebound rules or provide alerts about potential compliance violations, such as excess or unauthorized access. Further, automated tools help prevent unauthorized access such as orphaned accounts or excess access when users join, move within, or leave the organization. Finally, the right automated tool enables you to create and monitor non-person identities such as APIs, RPAs, workloads, servers, and containers to maintain NY SHIELD Act compliance.

Reviewing User Access Requests

The access request/review/certification process often leads to unauthorized access arising from overwhelmed IT administrators and managers who automatically approve all requests or “rubber stamp” requests. Under the NY SHIELD Act, an organization can determine that the unauthorized access posed no risk to the individual. Using intelligent analytics and automation allows you to create risk-based, context-aware access controls that use best practices ABAC. Using these policies, intelligent analytics can create designated approver notifications, delegation rules, SOD rules, and escalations that streamline NY SHIELD Act compliance.

Documenting NY SHIELD Act Compliance

Identity analytics continuously monitor your ecosystem for anomalous access requests which allow you to prove governance over your access controls. By applying your access policies across your ecosystem, you can manage the identity lifecycle with risk-aware request escalations that require someone in the organization to purposefully review the request. Since the NY SHIELD Act allows organizations to set a risk tolerance, automation with risk-aware policies enables you to provide the documentation necessary for proving compliance. 

Why Saviynt? Assured Compliance-as-a-Service

Saviynt’s intelligent analytics streamline the IGA compliance process so that organizations can create a frictionless approach to managing the identity lifecycle. More than Identity-as-a-Service (IDaaS), we provide Assured Compliance-as-a-Service (CaaS).

Our Control Exchange is a library of over 200 controls, based on regulations, industry standards, and mission-critical IaaS, PaaS, and SaaS providers. Since the NY SHIELD Act specifically refers to regulatory requirements such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), setting controls using these can help establish a compliant access management and monitoring program. The rules and policies automatically integrate with your authoritative identity source so that our analytics can incorporate the controls into your holistic data privacy and security compliance program. After setting the controls and policy, the platform automatically alerts you to anomalous access requests and suggests remediation actions.

Our cloud-native platform provides flexible options for both on-premises and cloud-based deployments. As your organization creates digital transformation strategies, Saviynt’s platform can create a standardized authoritative identity source across the ecosystem. Our intelligent analytics provide role-mining capabilities that help establish “least privilege” entitlements to control access to and within your IaaS, PaaS, and SaaS environments.

Moreover, Saviynt’s peer- and usage-based analytics enable you to create context- and risk-aware ABAC rules. Our analytics compare users’ requests to their peers’ access to automatically grant or limit access. Our analytics enable IAM compliance by enforcing policies and internal controls.

For more information, contact us or engage in a free trial.

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >