By Matthew J. Schiavone, CPA, CISSP, CISA
Data security and privacy is a challenge for businesses large and small. Now, evolving regulations are compounding the challenges of keeping threat actors at bay with concerns over compliance.
The California Consumer Privacy Act and Europe’s General Data Protection Regulation (GDPR) might seem to be far away concerns for Pennsylvania companies, but they are inspiring regulations closer to home. Pennsylvania firms need to take notice. Case in point: New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which extends data-breach notification requirements beyond those conducting business in New York State to any entity with private information on a New York resident.
The bill also broadens the scope of information covered under New York’s current breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers. Previously covered data still applies of course, including personal information (any information that can be used to identify a person) and private information, such as a Social Security number, driver’s license number, or an account number with its access code/mechanism.
The SHIELD Act also broadens the definition of data breach to include any unauthorized person gaining access to information, and requires reasonable data security, imposing greater obligations on businesses to secure customers’ private data and to properly notify of breaches.
Any person or business that owns or licenses computerized data that includes the private data of a resident of New York must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information, including, but not limited to, the disposal of the data.
SHIELD Act Compliance
Any business other than a small business will be considered in compliance with the new law if it is a regulated entity already complying with a host of specific security and privacy safeguards, such as the Health Insurance Portability and Accountability (HIPAA) Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act, Cybersecurity Requirements for Financial Services as established by New York's Department of Financial Services, and other data security laws and regulations.
Failure to comply with breach notification requirements could cost a company from $5,000 per violation to as much as $250,000. For violations of the new data security standards, courts may also impose civil penalties of up to $5,000 per violation with no cap.
To avoid these penalties, companies should do the following:
- Clearly understand the breach notification requirements and implement a mechanism to identify, respond to, and report breaches accordingly
- Ensure the reasonable security safeguards defined in the SHIELD Act are implemented
Achieving Reasonable Security Safeguards
Follow these steps to implement and meet the SHIELD Act’s “reasonable security safeguards”:
- Designate an employee to coordinate the security program and ensure he or she has sufficient resources. Provide training, a budget for security initiatives, and assurance that their duties are critical to the business’s success and that management fully supports them.
- Conduct a risk assessment annually to ensure you adjust the security program in light of business changes or new circumstances. An assessment will give you a baseline from which you can mitigate major risks and build your security program.
- Make sure your technical controls are sufficient and operating. Conduct regular vulnerability scans and penetration testing.
- Implement critical policies, including incident response, disaster recovery, business continuity, data retention and disposal, and vendor risk management.
- Ensure sufficient physical and environmental controls are implemented and effectively protect physical and digital assets.
- Audit your controls. You don’t have to hire an independent external auditor. Explore internal audits for cost-effectiveness, but do not sacrifice independence and objectivity.
Performing these steps will help you comply with New York’s SHIELD Act, minimize the risk of a data breach, and establish a baseline security program.
Matthew J. Schiavone, CPA, CISSP, CISA, is a senior manager in the quality control department of HBK in Warrendale. He specializes in risk advisory services, SOC reporting, internal controls, IT audit, information security, and cybersecurity. He can be reached at email@example.com.
Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.