The SHIELD Act: New York’s Newest Cybersecurity Regulation:

Other than California, New York now has some of the strictest cybersecurity regulations in the U.S. In 2017, New York passed a bill that regulates data privacy for the financial services. Now, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is in effect as of March 21st. Unlike previous legislation, compliance is not limited to specific industries and pertains to any business that processes the personal information of New York residents. And, despite the current pandemic, lawmakers have not delayed the implementation of the new law.

Here is what you need to know to ensure compliance with the SHEILD Act.

Protected Data

Much of the data protected under the SHIELD act is already covered by the state’s breach notification laws. This includes social security numbers, driver license numbers, account numbers, and debit and credit card numbers. However, the new regulation expands the definition of protected data by also including biometric data, and email addresses in combination with passwords or security questions and answers.

The SHIELD Act also expands the definition of a security breach. A breach is considered to occur not just if an unauthorized person takes or uses private information, but also if that data is accessible to anyone not considered authorized to view that information. There are many examples of where this could possibly take place, including providing access of sensitive information to third party vendors who do not need to access that information or having the credentials of an email account compromised even though there was no sensitive data in the email folder.

Security Requirements

The SHIELD Act also lays out a series of cybersecurity protections needed to maintain compliance with the regulation. Broadly, the act requires businesses to put in place “reasonable safeguards” to ensure the privacy of their information. However, the regulation also requires organizations to maintain a written cybersecurity policy. One of the unique requirements of the policy is that organization must have at least one employee dedicated to maintaining cybersecurity procedures. In addition, cybersecurity policies need to address the following:

  • Identification of internal and external security risks
  • Assessment of the ability of technical safeguards to protect against identified risks
  • The training of employees on security practices
  • Reviewing security practices of third party vendors
  • Proper detection and response to unauthorized access
  • Regular testing of security controls
  • Secure disposal of protected information within a reasonable time frame.


There are certain businesses that do not need to meet these exact security requirements. Small businesses with under 50 employees, for example, are exempt if they can demonstrate they have taken reasonable steps to ensure the privacy of their information. In addition, organization already regulated by other privacy laws such as HIPAA, Graham-Leach-Bliley Act, or New York Department of Financial Services regulations are covered if they maintain compliance with these other regulations.

Because the scope of the SHIELD Act is so broad and could affect many businesses outside of New York, it is very important for all organizations to carefully review the new regulation. New York is likely to begin enforcement of the regulations very soon, and non-compliant business may receive fines of $5,000 per violation with no penalty caps.

However, even businesses not affected by the SHIELD Act should think seriously about implementing some of the recommended security measures. More and more states are beginning to implement similar regulations, and the burden of implementation could be costly if it is left to the last minute.

Subscribe to our blog here:

Beyond Compliance

Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them.  At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.

After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.

Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels.  “If you do something that upsets your customers from a privacy standpoint and then you tell them  ‘Well I’ve done everything correct under the law’ will they be any more satisfied?  Probably not.  That’s privacy risk in a nutshell.”

When focusing on cybersecurity or data privacy, the key is to understand what your risks are.  In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.

“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase.  If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.


Keeping Standards High: PCI Compliance

When processing customer’s payments, you are asking them to trust you with some of the most sensitive information they have. It’s essential to ensure that data is being properly secured. One of the main ways organizations can ensure data security is by complying with the Payment Card Industry Data Security Standard (PCI DSS). While PCI DSS is not government mandated, it is required by Visa, American Express, MasterCard, Discover, and JCB International before handling any amount of payment cards by these companies. So, if you process payments cards by any of these brands you’ll need to be in compliance.  

The PCI DSS outlines 12 privacy-focused requirements for companies. These requirements include both operational and technical components ranging from encryption of card holder data, to regular vulnerability tests, to the development of a comprehensive Information Security Policy. You can find an overview of all 12 requirements here.   

Compliance Validation for Processors 

While all companies processing any amount of payment card information need to meet the 12 PCI DSS requirements, the method of validating compliance differs. Reporting requirements are based primarily on processing volume (amount of payment cards processed) and whether a company has suffered data breach in the past. Each credit card company has slightly different reporting requirements, but in general compliance reporting breaks down as follows:  

  • Organizations handling large amount of transactions or who have suffered a breach will be required to have an onsite assessment completed by an external, Qualified Security Assessor (QSA). 
  • Organizations with smaller processing volume can instead opt-in to file a Self-Assessment Questionnaire. The specific questionnaire required depends on several variables, such as whether you are an e-commerce merchant, type of payment terminal used, and whether processing is outsourced to third-party. 
  • All organizations must complete quarterly network scans through an Approved Scan Vendor (ASV) 

Again, you’ll need to check with specific card providers to understand your merchant level. Here are links to each brand’s validation requirements: VisaMasterCardAmerican ExpressDiscoverJCB International 

Compliance Requirements If You Use Third-Party Processors

Using a third-party can help streamline payment processing but does not exempt organizations from PCI compliance and reporting requirements. Organizations that outsource processing are still ultimately responsible for ensuring secure processing. This requires a self-assessment questionnaire that evaluates your security posture. Typically, this would either be PCI SAQ-A or SAQ A-EP.  In addition, you should vet third-party vendors before working with them, create detailed agreements with policies and procedures that outline each party’s responsibilities in maintaining compliance, as well as regularly monitor your vendor’s compliance statues. Full information on using third-party vendors can be found here. 

Credit card fraud can be a devastating experience. So when a customer chooses to hand over payment information, they are putting an extreme about of trust in your organization to handle that information with care. Whether you process the information yourself, or use a third-party, at the end of the day you are responsible for ensure that your customer’s sensitive information is completely secure. PCI DSS compliance is one of the most useful tools for doing this