2 min read

NY SHIELD Act Compliance for Nonprofits

Featured Image

Let’s start with the good news.

States within the USA are starting to implement privacy regulations to protect our individual data. As individuals, this is good for us. As leaders of nonprofits, small businesses, or any entity that collects data as part of doing business, these laws add new responsibilities and potential liabilities.

New York passed the (awkward acronym award winner) “Stop Hacks and Improve Electronic Data Security Act” (SHIELD) Act on October 23, 2019, and the law went into effect in March of 2020. The NY SHIELD Act applies to organizations that collect personal data belonging to anyone who is a resident of New York State, whether that person is a constituent or employee. The law applies to any organization, but makes some allowances in how “reasonable” is defined for organizations that have less than $3 million in annual revenue or fewer than 50 employees.

Get the NY SHIELD Act Playbook

The SHIELD Act is one of the more clearly written of recent privacy laws. Here is what SHIELD requires for compliance as it pertains to cybersecurity:

“...reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature, and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” - SHIELD Act

Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most responsible for the legal “reasonableness” standard was, no joke, named “Learned Hand”). For purposes of “reasonable” cybersecurity measures, the FTC provides this language:

“Employing reasonable safeguards to protect the confidentiality, integrity or availability of data given the type, amount and sensitivity of that data in relation to the size, sophistication, and capability of the organization.”

Below we outline what exact cybersecurity measures need to be in place in your organization if you are collecting private information in New York.

Requires “reasonable” cybersecurity measures be in place, as follows:

    1. Administrative Safeguards
      • Designate one or more employees to coordinate the security program.
      • Identify internal and external risks.
      • Train employees on security program practices.
      • Select service providers capable of maintaining appropriate safeguards and require those by contract.

    2. Technical Safeguards
      • Assess risks in network and software design and in information processing, transmission and storage.
      • Detect, prevent and respond to attacks or system failures.
      • Regularly test and monitor the effectiveness of key features of the security program.

    3. Physical Safeguards
      • Assess risks associated with information storage and disposal
      • Detect, prevent and respond to intrusions.
      • Protect against unauthorized access to or use of private information during or after collection, transportation or destruction of information.
      • Dispose of private information within a reasonable amount of time.

    4. Defendify
      • Defendify by RoundTable provides the definition of “reasonable measures” for cybersecurity:
      • Designate one or more employees to coordinate the security program. A point person is assigned as an administrator of the Defendify control panel, and works with RoundTable to complete health check-ups, review reports, prioritize recommendations, and plan and execute remediations.
      • Identify internal and external risks. Defendify provides the following services: Stolen password scanning, phishing simulations, website security scans, external network scanning.
      • Train employees on security program practices - Defendify provides training videos (and tracks who watches them and how well they do on the post-video quizzes), performs monthly phishing, and of course, we provide live training.
      • Detect, prevent and respond to attacks or system failures - RoundTable’s centralized antivirus solution, plus Defendify’s scanning services satisfy the defend and protect aspect. The incident response plan and technology and data use policy creation tools outline the response to attacks.
      • Network scanning and phishing simulations satisfy the “regularly test and monitor the effectiveness of key features of the security program” requirement.

    5. Internal to Your Organization:
      • Have a vendor due diligence process in place to require all business partners to be in compliance with SHIELD.
      • Protect against unauthorized access to or use of private information during or after collection, transportation or destruction of information.
      • Dispose of private information within a reasonable amount of time.
      • Your organization will need to identify what information is collected, how it is transmitted, stored and disposed of.

Get the NY SHIELD Act Playbook

NY SHIELD Act Compliance Checklist for Nonprofits

The New York SHIELD Act (“SHIELD”), which went into effect in 2020, provides needed clarity around what constitutes reasonable data security. The use...

Read More

Protect Yourself from Fake QR Codes

With the pandemic also came a resurgence of QR codes. Once thought dead, at least in the United States, they are now more widespread than ever. From...

Read More

What is Pretexting? How to Avoid Being Victimized

Pretexting is a type of social engineering attack that is often used to gain access to confidential information. In a pretexting attack, the attacker...

Read More