The NYS SHIELD Act was developed to protect private consumer data in the digital era. We’ve covered the specifics of the act in detail in our blog here.
The act already has updated and tightened requirements for consumer breach notifications, turning New York State into a “breach access” state instead of a “breach acquired” state.
In March 2020, many organizations will be required to develop a new, more stringent data security program based on rigorous risk analysis and threat prevention mechanisms.
Pre-Compliance with the NYS SHIELD Act
Fortunately for a good number of businesses, there are existing laws that pre-establish compliance with the NYS SHIELD act and forego any requirement of data mapping and threat evaluation. Many of them function in a very similar way to the NYS SHIELD act.
The Gramm-Leach-Bliley-Act, also known as the Financial Modernization Act of 1999, is a United States federal law requiring financial institutions to disclose exactly how, when and if they safeguard private information.
The act mandates that customers must be notified in the event private information is shared between financial institutions or third parties, and customers also must be given the chance to opt out of private information sharing.
It also requires financial institutions to track users who access protected data, which helps keep a paper trail in the event any private information is misused.
Similar to the NYS SHIELD Act, the GLBA requires an information security program that assesses the risks to data security and implements relevant safeguards as well as the onboarding of competent service providers.
Cybersecurity Regulations of the NYS Department of Financial Services and Cybersecurity
The New York Department of Financial Services (NYDFS) places regulations on all of the following categories of institution:
- Insurance companies
- Private bankers
- Mortgage companies
- State-chartered banks
- Foreign banks licensed to operate in the state of New York
- Service providers
Any of these entities already would fall under regulations established by the NYDFS, requiring that they establish a cybersecurity framework to identify internal and external threats, establish defense networks, and engage in all necessary reporting in the event of a breach. The use of data encryption is required, as is annual certification by all entities using protected data and employed use of multi-factor authentication tools.
All entities abiding by these protocols are already considered compliant with the NYS SHIELD Act.
Health Insurance Portability and Accountability Act
The Health Insurance and Portability Act (HIPPA) of 1996 was developed to prevent the exposure of private health information (PHI), and any organizations that handle PHI electronically are required to abide by the rules of HIPPA. These can include:
- Nursing homes.
- Insurance companies.