Identity Governance and Administration Compliance for NY SHIELD Act
What Is the NY SHIELD Act? – New York Stop Hacks and Improve Electronic Data SecuritySenate Bill 5575, more commonly referred to as the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, was enacted on July 25, 2019 as an amendment to the General Business Law and the State Technology Law updating the breach notification requirements to impose stronger obligations on businesses handling private information and personal information in an attempt to mitigate threats that contribute to identity theft. Section 2 of the bill amends the title of article 39-F of the General Business Law. Section 3 of the bill amends section 899-aa of the General Business Law.
What is Personal Information?The NY SHIELD Act defines “personal information” as any data about a natural person can be used to identify that individual, including name, number, personal mark, or other identifiers.
How is Personal Information Different From Private Information?While “personal information” is vague, The NY SHIELD Act defined “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account. The SHIELD Act defines private information data elements as:
- Social security number
- Driver’s license number or non-driver identification card
- Account number
- Credit or debit card number in conjunction with:
- Security code
- Access code
- Any other information that permits financial account access
- Account, credit card or debit card number if such number permits financial account access without additional identifying information
- Biometric information defined as data generated by electronic measurements of an individual’s unique physical characteristics including but not limited to:
- Voice print
- Retina or iris scan
What Is The NY SHIELD Act’s Definition of a Data Breach?The NY SHIELD Act shifts the definition of data breach to “unauthorized access” to personal and private, moving away from “unauthorized acquisition of” data. By focusing on unauthorized access, the law more broadly defines data breach, increasing an organization’s liability.
Who Does The NY SHIELD Act Apply To?The NY SHIELD Act follows the tradition started with the European Union General Data Protection Regulation (GDPR) establishing the extraterritorial definition of a responsible party as “any person or entity with private information of a New York Resident, not just to those that conduct business in New York State.” As with many of the other up-and-coming legislative mandates in the United States, the New York legislature is attempting to force organizations into creating data security and privacy safeguards by increasing cybersecurity compliance requirements.
What Is Identity Governance and Administration (IGA)?Identity Governance (IG) falls under the broader heading of Identity and Access Management (IAM) and involves the orchestration of policy-based user identity management and access controls during the access request and access certification process, also called provisioning, to meet regulatory compliance requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). To comply with the requirements, many organizations choose Identity Governance and Administration (IGA) solutions to help manage user access, including privileged access, that streamline data privacy and security processes. As organizations increasingly incorporate Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) services, they no longer retain full control over their IT infrastructure. In fact, this lack of control now shifts the perimeter to identity. To create a holistic data privacy and security compliance program, you need to start by creating an IGA program that ensures you know who accesses what resources while controlling how, why, and when they access them.
What Are the NY SHIELD Act Identity Governance and Administration (IGA) Compliance Requirements?The NY SHIELD Act updates the previous breach notification law security requirements with the language, “require reasonable data security for private information, with a more flexible standard for small businesses, without creating new requirements for entities subject to existing or future regulations by any federal or other New York State government entity.” As part of “reasonable security”, the NY SHIELD Act requires organizations to :
- Identify reasonably foreseeable internal and external risks
- Assess the sufficiency of approved reasonable safeguards in place to control the identified risks
- Assess risks in information processing, transmission, and storage
- Protect against unauthorized access to or use of private information during or after the collection, transportation and destruction, or disposal of the information
- Individuals cannot sue companies in civil court
- “no private cause of action” is available
- All action is taken by the New York State Attorney General
- No notification is required if:
- The access was an “inadvertent disclosure by persons authorized to access private information,” and
- The responsible party deems that the exposure will not likely result in the misuse of the information or no financial harm to the affected persons will occur