BM Trada Logo Library
Get a quote
Home Resources Blog March 2021

Implementing ISO Security and Privacy Frameworks to Meet the New York SHIELD Act

10 March 2021
What are the common challenges that organizations encounter when facing new regulatory requirements applicable to their business?

The common challenges are:

  1. How does the organization ensure that it fully meets the regulatory requirements?

  2. How does the organization demonstrate to external stakeholders, such as clients and regulators, that the regulatory requirements have been met with reasonable assurances?

This article aims to answer these questions as it applies specifically in complying with the New York SHIELD Act by implementing ISO 27001 and ISO 27701 standards. However, this methodology can also be applied to any other security and regulatory privacy requirements.

What is the New York SHIELD Act?

On March 21, 2020, the data security provisions of New York's Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") went into effect.

The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York ("covered business") to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and availability of the private information.

With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more comprehensive data security. It updates its existing data breach notification requirements.

What is considered to be "private data under the NY SHIELD Act"?

Unlike many other states that use the term "personal information" to define the data set to be protected, the SHIELD Act uses the term "private information" to refer to the key data elements protected under the statute. Businesses that complied with the breach notification law in New York before the SHIELD Act should become familiar with the law's expanded definition of private information.

The SHIELD Act defines "private information" the same way for both the breach notification and the data security protection requirements. Private information is, in part, a subset of "personal information." Whereas, personal information is "any information concerning a natural person which, because of name, number, personal mark, or other identifiers, can be used to identify such natural person."

What is ISO/IEC 27001 and ISO/IEC 27701?

ISO/IEC 27001 is an international standard on how to manage information security by implementing an Information Security Management System (ISMS); whereas, ISO/IEC 27701 is an international standard that builds upon the security framework by implementing a Privacy Information Management System (PIMS).

How does the organization ensure that it fully meets the NY SHIELD ACT requirements?

The SHIELD Act does not mandate specific safeguards. Instead, it guides businesses on how to be deemed compliant if it implements a "data security program" that includes reasonable administrative, technical, and physical safeguards enumerated in the SHIELD Act. 

To ensure that the data security program is acceptable to relevant internal and external stakeholders, the organization should consider aligning it with international standards. Hence, implementing ISO 27001 and ISO 27701 helps achieve this mission. 

Below are detailed examples of how ISO Framework serves as a guideline to meet the specific safeguards referenced in the NY SHIELD Act.

Administrative Safeguards

Examples of safeguards referenced in NY SHIELD

ISO 27001 Framework

ISO 27701 Framework

Designate individual(s) responsible for security programs

5.3 - Organizational roles, responsibilities and authorities
A.6.1.1 - Information security roles and responsibilities
A.7.2.1 - Management responsibilities

5.3.3 - Organizational roles, responsibilities and authorities
6.3.1.1 - Information security roles and responsibilities
6.4.2.1 - Management responsibilities

Conduct a risk assessment process one that identifies
reasonably foreseeable internal and external risks and assesses
the sufficiency of safeguards in place to control those risks

6.1.2 - Information security risk assessment
6.1.3 - Information security risk treatment
8.2 - Information security risk assessment
8.3 - Information security risk treatment

5.4.1.2 - Information security risk assessment
5.4.1.3 - Information security risk treatment
5.6.2 - Information security risk assessment
5.6.3 - Information security risk treatment

Train and manage employees in security program practices and procedures

7.3 - Awareness
A.7.2.2 - Information security awareness, education and training

5.5.3 - Awareness
6.4.2.2 - Information security awareness, education and training

Select capable service providers and require safeguards by contract

A.15 - Supplier relationships

6.12 - Supplier relationships

Adjust program(s) in light of business changes or new circumstances

4 - Context of the organization
10 - Improvement

5.2 - Context of the organization
5.8 Improvement

Maintaining written policies and procedures

5.2 - Policy
A.5.1.1 - Policies for information security
A.6.2.1 - Mobile Device Policy
A.9.1.1 - Access Control Policy
A.10.1.1 - Policy on the use of cryptographic controls
A.11.2.9 - Clear desk and clear screen policy
A.14.2.1 - Secure development policy
A.15.1.1 - Information security policy for supplier
relationships

5.3.2 - Policy
6.2.1.1 - Policies for information security
6.3.2.1 Mobile Device Policy
6.6.1.1 - Access Control Policy
6.7.1.1 - Policy on the use of cryptographic controls
6.8.2.9 - Clear desk and clear screen policy
6.11.2.1 - Secure development policy
6.12.1.1 - Information security policy for supplier relationships

Applying sanctions to individuals who violate the organization's data privacy and security policies and procedures

A.7.2.3 - Disciplinary process

6.4.2.3 - Disciplinary procedures

Tracking inventory of equipment and devices

A.8.1.1 - Inventory of assets

6.5.1.2 - Inventory of assets

Develop and practice an incident response program

A.16 - Information security incident management

6.13 - Information security incident management

Maintaining and implementing a record retention and destruction policy.

7.5 - Documented information
A.8.1.3 - Protection of records

5.5.5 - Documented information
6.15.1.3 - Protection of records


Physical Safeguards

Examples of safeguards referenced in NY SHIELD

ISO 27001 Framework

ISO 27701 Framework

Assess risks of information storage and disposal

A.8.3 - Media handling
A.11.2.7 - Secure disposal or reuse of equipment

6.5.3.1 - Media handling
6.8.2.7 - Secure disposal or reuse of equipment

Detect, prevent, and respond to intrusions

A.16 - Information security incident management

6.12 - Information security incident management

Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal

A.8.3 - Media handling
A.13.2 - Information transfer
A.11.2.5 - Removal of assets
A.11.2.6 - Security of equipment and assets off-premises
A.11.2.7 - Secure disposal or reuse of equipment

6.5.3.1 - Media handling
6.10.2 - Information transfer
6.8.2.5  - Removal of assets
6.8.2.6 - Security of equipment and assets off-premises
6.8.2.7 - Secure disposal or reuse of equipment

Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.

A.18.1.4 - Privacy and protection of personally identifiable information

7 - Additional ISO/IEC 27002 guidance for PII controllers
8 - Additional ISO/IEC 27002 guidance for PII processors
Annex A - PIMS-specific reference control objectives and controls (PII Controllers)
Annex B - PIMS-specific reference control objectives and controls (PII Processors)

Implementing facility security plans

A.11 - Physical and environmental security

6.8 - Physical and environmental security

Maintaining and practicing disaster recovery and business continuity plans

A.17 - Information security aspects of business continuity management

6.14 - Information security aspects of business continuity management


Technical Safeguards

Examples of safeguards referenced in NY SHIELD

ISO 27001 Framework

ISO 27701 Framework

Assess risks in network and software design

A.14 - System acquisition, development and maintenance

6.11 - System acquisition, development and maintenance

Detect, prevent, and respond to attacks or system failures

A.12.4 - Logging and monitoring
A.16 - Information security incident management

6.9. 4 - Logging and monitoring
6.12 - Information security incident management

Regularly test and monitor the effectiveness of key controls, systems, and procedures

A.12.7 - Information systems audit considerations
A.18.2 - Information security reviews

6.9.7 - Information systems audit considerations
6.15.2 - Information security reviews

Developing access management plans

A.9 - Access control

6.6 - Access control

Deploying encryption and data loss prevention tools

A.10 - Cryptography
A.12.2 - Protection from malware

6.7 - Cryptography
6.9.2 - Protection from malware

Regularly updating antivirus and malware protection

A.12.2 - Protection from malware

6.9.2 - Protection from malware

How does the organization demonstrate to external stakeholders, such as clients and regulators, that the NY SHIELD Act has been met with reasonable assurances?

The advice I give my clients to demonstrate reasonable compliance with NY SHIELD Act to external stakeholders is to build the organization's safeguards based on the ISO 27001 standard.

An additional step to further provide assurance is to certify the ISMS with a reputable certification body (e.g., NQA) by testing the effectiveness of the organization's control framework. The ISO certification serves as an official document that can be shared with the external stakeholders showing that compliance has been achieved and validated by independent competent auditors.

As of this writing, New York is in the process of enacting the "Safeguard Data Security Rights," regulation, which is similar to GDPR and CCPA, and it complements NY SHIELD Act. The aim is to guarantee New York residents the right to access, control, and erase their data collected, the right to nondiscrimination from providers for exercising these rights, and the right to equal access to services.

The organization can take the same approach for demonstrating compliance by building a PIMS that meets ISO 27701 certification.


Authored by Felice Priante - Principal Consultant at DataGuardZ, Inc.
JD, MBA, CIPP /E, CIPM, CIPT, CDPSE, CISSP, CISA, SSCP, CISM, CRISC, CFE, CCNA, CNE, CCSA, ABCP