10 minute read
Features
SHIELD Breaking Down the NY By Michael Montagliano Act
New York’s new Stop Hacks and Improve Electronic Data Security (SHIELD) Act is broadening the state’s security breach notification requirements (899-AA) and requiring businesses to implement reasonable administrative, technical and physical safeguards for New York residents’ private information (899-BB). Signed by Governor Andrew M. Cuomo on July 26, 2019, SHIELD’s breach notification requirements took effect in October last year, with safeguard requirements due by March 2020.
Why the SHIELD Act is needed The updated breach notification law was designed to “keep pace with current technology.” And if we look at technology’s current state, that’s easily understood. Organizations have seen a digital transformation over the past few years as workloads move from on-premise to multiple cloud services, including Software (SaaS), Platform (PaaS) and Infrastructure (IaaS). Data is being transferred
ROBEX — Quarter 1 • 2020 and dispersed – and the attack surface broadened – making information containment and control much more challenging. The threat landscape has changed dramatically. Hackers are taking advantage of advanced technologies such as artificial intelligence, machine learning and data analytics to build new capabilities, including shapeshifter malware with the ability to analyze network defenses and modify malicious code on the fly to circumvent those defenses. Cybercrime economics statistics are staggering, with $6 trillion in annual global losses expected by 2021. For New York State, the cost of a lost record is $148, up 4.8 percent from 2018. The average recovery cost from a breach stands at $3.86 million. The need for the new SHIELD Act is evident in the numbers.
When the SHIELD Act applies The SHIELD Act applies to any person or business that owns or licenses computerized data that includes a New York resident’s private information and not just those that conduct business within New York State. The law applies to both regulated and unregulated companies, but “without imposing duplicate obligations on those already subject to other federal or New York State data security regulations.” That means if a person or company (the Department of Financial Services, for example) is already regulated by existing New York or federal data regulations (including the Gramm-LeachBliley Act or HIPAA), they should already have the appropriate level of controls in place to be considered compliant with the SHIELD Act. However, companies should keep in mind that those controls must be applied to any additional data types included in the SHIELD Act. Protected private information for New York residents includes the following.
continued on page 18
Since 1977 • QUALITY • SERVICE Lakeside is the area’s only Locally Owned, Independent Distributor - When you buy local, your money stays local.
ROOFING • SIDING • WINDOWS • DOORS • RAILING & DECKING DECORATIVE STONE • EPDM ROOFING • KITCHEN CABINETS ONTARIO, NY 6296 Lakeside Road (315) 524-9420 BROCKPORT, NY 5954 Route 31 (585) 637-4710 HANNIBAL, NY 1082 Auburn Street (315) 564-3212 ROOFING & SIDING MATERIALS, INC. 6296 LAKESIDE ROAD • ONTARIO, NY 14519 (315) 524-9420 • (585) 265-3226 • FAX (315) 524-5229 ROOFING & SIDING MATERIALS, INC. 1082 AUBURN STREET • HANNIBAL, NY 13074 (315) 564-3212 • FAX (315) 564-3297 BUILDING PRODUCTS, INC. 5954 ROUTE 31 • BROCKPORT, NY 14420 (585) 637-4710 • FAX (585) 637-4784
• PRICE We Deliver!
ROLLOFF SERVICES, LLC 6296 LAKESIDE ROAD • ONTARIO, NY 14519 (315) 524-3100 • FAX (315) 524-5229
NEW & EXCITING PARTNERSHIP
NEW & EXCITING PARTNERSHIP & We are proud to announce that beginning July 1, 2019 Lakeside Quality Building Products will be carrying Marvin window and door products. Lakeside is determined to be your best choice for all and are excited to be carrying this well-crafted product that is inspired by how you live. Marvin features three distinct collections, each defined by the degree of design detail, flexibility, and customization opportunities. Across these collections you will find the beautiful design, superior quality, and the thoughtful support you always get from Marvin. More Flexible More Streamlined ROOFING • SIDING • WINDOWS • DOORS • RAILING & DECKING • LUMBER • DECORATIVE STONE EPDM ROOFING • KITCHEN CABINETS • MILLWORK • WINTER WEATHER MANAGEMENT PRODUCTS • WOOD PELLETS We are proud to carry Marvin window and door products. Lakeside is determined to be your best choice for all your building product needs, and are excited to be carrying this well-crafted product that is inspired by how you live. Marvin features three distinct collections, each defined by the degree of design detail, flexibility, and customization opportunities. Across these collections you will find the beautiful design, superior quality, and the thoughtful support you always get from Marvin and Lakeside. We are proud to announce that beginning July 1, 2019 Lakeside Quality Building Products will be carrying Marvin window and door products. Lakeside is determined to be your best choice for all and are excited to be carrying this well-crafted product that is inspired by how you live. Marvin features three distinct collections, each defined by the degree of design detail, flexibility, and customization opportunities. Across these collections you will find the beautiful design, superior quality, and the We Deliver!
SIGNATURE COLLECTION ELEVATE COLLECTION ESSENTIAL COLLECTION Previously known as Marvin Windows and Doors Previously known as Integrity Wood-Ultrex Previously known as Integrity Wood-UltrexIntegrity All Ultrex Lakesideroofingandsiding.com Lakeside Building Products, Inc. 5954 Route 31 • Brockport, NY 14420 (585) 637-4710 • FAX (585) 637-4784 Roofing & Siding Materials Inc. 1082 Auburn Street • Hannibal, NY 13074 (315) 564-3212 • FAX (315) 564-3297 Roofing & Siding Materials Inc. 6296 Lakeside Road • Ontario, NY 14519 (315) 524-9420 • (585) 265-3226 • FAX (315) 524-5229 More Streamlined ESSENTIAL COLLECTION Rolloff Services, LLC. 6296 Lakeside Road • Ontario, NY 14519 (315) 524-9420 • FAX (315) 524-5229 Roofing & Siding Materials Inc. 1902 Route 14 • Geneva, NY 14456 (315) 325-4212
• User names or email addresses, in combination with a password or security question and answer, that would permit access to an online account. • A name or other information that can be used to identify a specific person, in combination with any of the following: Social Security number, driver’s license number or non-driver identification card number. • Driver’s license number or non-driver identification card number. • Account, credit or debit card number in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account • Account, credit or debit card number, if the number could be used to access an individual’s financial account without additional identifying information, security code, access code or password • Biometric information, specifically data generated by electronic measurements of an individual’s unique physical characteristics, including fingerprint, voiceprint, or retina or iris image, or other unique physical representation or digital representations used to authenticate an individual’s identity
Defining a breach P rior versions of the law defined a breach as the unauthorized acquisition of private information. A breach only needed to be reported if you were confident information was exfiltrated from the network. Starting October 23, the SHIELD Act expanded the definition of a breach to include any unauthorized access to private or personal information. Now, any unauthorized viewing of private or personal information is considered a breach and requires notification of the attorney general, even if there is no evidence the data was removed.
Security Requirements The SHIELD Act r equires organizations to develop, implement and maintain “reasonable” administrative, technical and physical
Tel: 585-458-0150, Fax: 585-458-0281
www.davisfetchcorp.com
safeguards to protect and securely dispose of New York residents’ private information. However, the requirements read more like mission statements than specific control requirements, so here’s an attempt at translating the requirements into high-level action plans for organizations.
Administrative Safeguards • Designate one or more employees to coordinate the security program: assign security responsibility, appoint or outsource CISO. • Identify reasonably foreseeable internal and external risk: develop a risk management plan. • A ssess the sufficiency of safeguards in place to control the identified risks: perform a gap analysis to identify deficiencies and develop a plan of action for remediation. • Train and manage employees in security program practices and procedures: implement a training program aligned with organization policies and procedures, security reminders and user testing. • Select service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract: develop a third-party security audit and contractual process for onboarding service providers and for ongoing safeguard evaluation. • Adjust the security pr ogram in light of business changes or new circumstances: implement change management
Technical Safeguards Assess risks in network and software design: vulnerability management, including authenticated scans of external and internal network assets Assess risks in information processing, transmission and storage: monitor data flows and boundary defenses. Detect, prevent and respond to attacks or system failures: develop a documented incident response plan. Regularly test and monitor the effectiveness of key controls, systems and procedures: develop an internal audit process.
Building Solutions to Manage Risk
At USI, we’ve become a leader by doing things di erently. We bring decades of risk management experience, a proprietary risk analysis process, and a local team supported by the expertise of more than 7,000 professionals nationwide. Let us show you how the right plan and the right partner can help protect your company’s most valuable assets and all of your personal insurance needs.
JOHN COSTELLO, CIC, CRIS Regional Insurance Sales Manager USI Insurance Services 777 Canal View Boulevard Rochester, NY 14623 john.costello@usi.com | 585.736.5942
Customized Insurance Programs | Captives | Surety | Contract Review | Claims and Risk Management 855.874.0123 | www.usi.com
Physical Safeguards • Assess risks of information storage and disposal: develop storage media policies and procedures. • Detect, prevent and respond to intrusions: again, develop a documented incident response plan. • Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information: implement access control policies and procedures. • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so the information cannot be read or reconstructed: develop documented data retention and media disposal policy
Fines and Penalties The penalties for violating the SHIELD Act are somewhat murky. The state attorney general may prosecute the offending organization if it fails to implement reasonable administrative, technical and physical safeguards to secure New York residents’ private or personal information.
If an organization fails to comply with the SHIELD Act’s breach notification requirements, the attorney general may impose a civil penalty of the greater of $5,000 or $20 per instance of failed notification, with a new ceiling of $250,000 -- twice the previous penalty. The March 23 deadline is quickly approaching, and for organizations that are starting at square one, getting to compliance with the SHIELD Act is going to require a substantial effort. The clock is ticking. Go!
Michael Montagliano is the Chief Technology Officer at iV4. Contact him at mmontagliano@iv4.com.
