On July 25, 2019, New York State Governor Andrew Cuomo signed Update S5575B. This law colloquially known as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), amends the state’s breach notification law, N.Y. Gen. Bus. Law § 899-aa. The SHIELD Act broadens the definition of private information and what is meant by a breach of information. Furthermore, it requires businesses to maintain a strict set of controls to mitigate the likelihood of a breach of private information. Exigent Technologies is an Arctic Wolf Partner, and we wholeheartedly submit that, using Arctic Wolf Networks SOCaaS is a great way to maintain compliance with the SHIELD Act.
Prior to the SHIELD Act, a breach was defined as the unauthorized acquisition of private information. Now, mere unauthorized viewing of private information is considered a breach, whether or not the information is transferred out of the care of its custodian.
Private information, the definition of which is now greatly expanded, includes the following.
The law takes effect on March 21, 2020. Businesses should immediately begin work to align with the Act’s requirements. Compliance is neither a quick nor a one-time endeavor so proper planning is critical. Here are some important points regarding this new legislation.
Reasonable safeguards under the act are categorized in the same way as in the HIPAA Security Rule, namely Administrative, Physical, and Technical.
Specifically called out within the Technical Safeguards section is the requirement of the person or business to “detect, prevent, and respond to attacks or system failures; and regularly test and monitor the effectiveness of key controls, systems, and procedures.” This is at the core of Arctic Wolf’s Managed Detection and Response service. Arctic Wolf Networks cybersecurity analysts hunt for threats and indicators of compromise within customer networks on a 25/7/365 basis.
The other key Technical Safeguard addressed by Arctic Wolf Networks is the need to “identify reasonably foreseeable internal and external risks.” Arctic Wolf’s Managed Risk platform is a continuous internal and external vulnerability management platform coupled with monthly human-led risk reviews and quarterly “big picture” reviews to ensure companies are marching toward the path of risk reduction.
Keep in mind that network security monitoring and vulnerability management are not “one and done” activities. They must be performed on a continuous basis now and into the future.
If you think the SHIELD Act is overbearing, keep in mind other states have similar requirements and have so for nearly a decade. It’s about time NY state hops on the information-protecting bandwagon for the benefit of all of New York State citizens.
Exigent Technologies is an Arctic Wolf Networks Partner/Reseller with offices in NJ and NY. SHIELD Act consulting services are offered through our sister organization, Partners in Regulatory Compliance.