Using Arctic Wolf for Compliance with the NY SHIELD ACT

On July 25, 2019, New York State Governor Andrew Cuomo signed Update S5575B.  This law colloquially known as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), amends the state’s breach notification law, N.Y. Gen. Bus. Law § 899-aa.  The SHIELD Act broadens the definition of private information and what is meant by a breach of information.  Furthermore, it requires businesses to maintain a strict set of controls to mitigate the likelihood of a breach of private information.  Exigent Technologies is an Arctic Wolf Partner, and we wholeheartedly submit that, using Arctic Wolf Networks SOCaaS is a great way to maintain compliance with the SHIELD Act.

Prior to the SHIELD Act, a breach was defined as the unauthorized acquisition of private information.  Now, mere unauthorized viewing of private information is considered a breach, whether or not the information is transferred out of the care of its custodian.

Private information, the definition of which is now greatly expanded, includes the following.

• Any individually identifiable information such as name, number, or other identifier along with one or more of the following:
  • SSN
  • Driver’s or nondriver’s identification number
  • Access code
  • Password
  • Other information that would permit access to the individual’s financial account
  • Biometric information such as a fingerprint voice print, retina, or iris image
• Any individually identifiable information coupled with a credit/debit card number if such a number could be used to access an individual’s financial account, even without additional identifying information
• A username or email address coupled with a password security question, or answer that would permit access to an online account.

The law takes effect on March 21, 2020. Businesses should immediately begin work to align with the Act’s requirements.  Compliance is neither a quick nor a one-time endeavor so proper planning is critical.  Here are some important points regarding this new legislation.

• The core of the Act is to protect the confidentiality and integrity of private information of NYS residents. The theme of the Act is to force businesses to maintain reasonable safeguards to this affect.
• The Act applies to all employers, individuals, or organizations (for-profit and not-for-profit) who collect private information of NYS residents, regardless of domicile.
• There are no exemptions. Even small businesses are required to comply with the Act.
• Organizations that are able to prove full compliance with GLBA, HIPAA, or the NYS Department of Financial Services cybersecurity requirements are deemed in compliance with the SHIELD Act.
• Compliance is enforced by the NYS Attorney General. Failure to comply may result in injunctive relief and fines up to $5,000 levied against organizations and individuals, per violation.

Reasonable safeguards under the act are categorized in the same way as in the HIPAA Security Rule, namely Administrative, Physical, and Technical.

Specifically called out within the Technical Safeguards section is the requirement of the person or business to “detect, prevent, and respond to attacks or system failures; and regularly test and monitor the effectiveness of key controls, systems, and procedures.”  This is at the core of Arctic Wolf’s Managed Detection and Response service.  Arctic Wolf Networks cybersecurity analysts hunt for threats and indicators of compromise within customer networks on a 25/7/365 basis.

The other key Technical Safeguard addressed by Arctic Wolf Networks is the need to “identify reasonably foreseeable internal and external risks.”  Arctic Wolf’s Managed Risk platform is a continuous internal and external vulnerability management platform coupled with monthly human-led risk reviews and quarterly “big picture” reviews to ensure companies are marching toward the path of risk reduction.

Keep in mind that network security monitoring and vulnerability management are not “one and done” activities.  They must be performed on a continuous basis now and into the future.

If you think the SHIELD Act is overbearing, keep in mind other states have similar requirements and have so for nearly a decade.  It’s about time NY state hops on the information-protecting bandwagon for the benefit of all of New York State citizens.

Exigent Technologies is an Arctic Wolf Networks Partner/Reseller with offices in NJ and NY.  SHIELD Act consulting services are offered through our sister organization, Partners in Regulatory Compliance.