Implementing ISO Security and Privacy Frameworks to Meet the New York SHIELD Act
The common challenges are:
-
How does the organization ensure that it fully meets the regulatory requirements?
-
How does the organization demonstrate to external stakeholders, such as clients and regulators, that the regulatory requirements have been met with reasonable assurances?
This article aims to answer these questions as it applies specifically in complying with the New York SHIELD Act by implementing ISO 27001 and ISO 27701 standards. However, this methodology can also be applied to any other security and regulatory privacy requirements.
What is the New York SHIELD Act?
On March 21, 2020, the data security provisions of New York's Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") went into effect.
The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York ("covered business") to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and availability of the private information.
With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more comprehensive data security. It updates its existing data breach notification requirements.
What is considered to be "private data under the NY SHIELD Act"?
Unlike many other states that use the term "personal information" to define the data set to be protected, the SHIELD Act uses the term "private information" to refer to the key data elements protected under the statute. Businesses that complied with the breach notification law in New York before the SHIELD Act should become familiar with the law's expanded definition of private information.
The SHIELD Act defines "private information" the same way for both the breach notification and the data security protection requirements. Private information is, in part, a subset of "personal information." Whereas, personal information is "any information concerning a natural person which, because of name, number, personal mark, or other identifiers, can be used to identify such natural person."
What is ISO/IEC 27001 and ISO/IEC 27701?
ISO/IEC 27001 is an international standard on how to manage information security by implementing an Information Security Management System (ISMS); whereas, ISO/IEC 27701 is an international standard that builds upon the security framework by implementing a Privacy Information Management System (PIMS).
How does the organization ensure that it fully meets the NY SHIELD ACT requirements?
The SHIELD Act does not mandate specific safeguards. Instead, it guides businesses on how to be deemed compliant if it implements a "data security program" that includes reasonable administrative, technical, and physical safeguards enumerated in the SHIELD Act.
To ensure that the data security program is acceptable to relevant internal and external stakeholders, the organization should consider aligning it with international standards. Hence, implementing ISO 27001 and ISO 27701 helps achieve this mission.
Below are detailed examples of how ISO Framework serves as a guideline to meet the specific safeguards referenced in the NY SHIELD Act.
Administrative Safeguards
|
Examples of safeguards referenced in NY SHIELD |
ISO 27001 Framework |
ISO 27701 Framework |
|---|---|---|
|
Designate individual(s) responsible for security programs |
5.3 - Organizational roles, responsibilities and authorities |
5.3.3 - Organizational roles, responsibilities and authorities |
|
Conduct a risk assessment process one that identifies |
6.1.2 - Information security risk assessment |
5.4.1.2 - Information security risk assessment |
|
Train and manage employees in security program practices and procedures |
7.3 - Awareness |
5.5.3 - Awareness |
|
Select capable service providers and require safeguards by contract |
A.15 - Supplier relationships |
6.12 - Supplier relationships |
|
Adjust program(s) in light of business changes or new circumstances |
4 - Context of the organization |
5.2 - Context of the organization |
|
Maintaining written policies and procedures |
5.2 - Policy |
5.3.2 - Policy |
|
Applying sanctions to individuals who violate the organization's data privacy and security policies and procedures |
A.7.2.3 - Disciplinary process |
6.4.2.3 - Disciplinary procedures |
|
Tracking inventory of equipment and devices |
A.8.1.1 - Inventory of assets |
6.5.1.2 - Inventory of assets |
|
Develop and practice an incident response program |
A.16 - Information security incident management |
6.13 - Information security incident management |
|
Maintaining and implementing a record retention and destruction policy. |
7.5 - Documented information |
5.5.5 - Documented information |
Physical Safeguards
|
Examples of safeguards referenced in NY SHIELD |
ISO 27001 Framework |
ISO 27701 Framework |
|---|---|---|
|
Assess risks of information storage and disposal |
A.8.3 - Media handling |
6.5.3.1 - Media handling |
|
Detect, prevent, and respond to intrusions |
A.16 - Information security incident management |
6.12 - Information security incident management |
|
Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal |
A.8.3 - Media handling |
6.5.3.1 - Media handling |
|
Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes. |
A.18.1.4 - Privacy and protection of personally identifiable information |
7 - Additional ISO/IEC 27002 guidance for PII controllers |
|
Implementing facility security plans |
A.11 - Physical and environmental security |
6.8 - Physical and environmental security |
|
Maintaining and practicing disaster recovery and business continuity plans |
A.17 - Information security aspects of business continuity management |
6.14 - Information security aspects of business continuity management |
Technical Safeguards
|
Examples of safeguards referenced in NY SHIELD |
ISO 27001 Framework |
ISO 27701 Framework |
|---|---|---|
|
Assess risks in network and software design |
A.14 - System acquisition, development and maintenance |
6.11 - System acquisition, development and maintenance |
|
Detect, prevent, and respond to attacks or system failures |
A.12.4 - Logging and monitoring |
6.9. 4 - Logging and monitoring |
|
Regularly test and monitor the effectiveness of key controls, systems, and procedures |
A.12.7 - Information systems audit considerations |
6.9.7 - Information systems audit considerations |
|
Developing access management plans |
A.9 - Access control |
6.6 - Access control |
|
Deploying encryption and data loss prevention tools |
A.10 - Cryptography |
6.7 - Cryptography |
|
Regularly updating antivirus and malware protection |
A.12.2 - Protection from malware |
6.9.2 - Protection from malware |
How does the organization demonstrate to external stakeholders, such as clients and regulators, that the NY SHIELD Act has been met with reasonable assurances?
The advice I give my clients to demonstrate reasonable compliance with NY SHIELD Act to external stakeholders is to build the organization's safeguards based on the ISO 27001 standard.
An additional step to further provide assurance is to certify the ISMS with a reputable certification body (e.g., NQA) by testing the effectiveness of the organization's control framework. The ISO certification serves as an official document that can be shared with the external stakeholders showing that compliance has been achieved and validated by independent competent auditors.
As of this writing, New York is in the process of enacting the "Safeguard Data Security Rights," regulation, which is similar to GDPR and CCPA, and it complements NY SHIELD Act. The aim is to guarantee New York residents the right to access, control, and erase their data collected, the right to nondiscrimination from providers for exercising these rights, and the right to equal access to services.
The organization can take the same approach for demonstrating compliance by building a PIMS that meets ISO 27701 certification.
Authored by Felice Priante - Principal Consultant at DataGuardZ, Inc.
JD, MBA, CIPP /E, CIPM, CIPT, CDPSE, CISSP, CISA, SSCP, CISM, CRISC, CFE, CCNA, CNE, CCSA, ABCP