To increase theft prevention for New York State consumers, the legislature enacted the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Referring to the previous data breach notice law as outdated, the new regulatory compliance requirement becomes effective in 2020. Creating a holistic approach to Identity Governance and Administration (IGA) with intelligent analytics can ease the burdens associated with meeting the NY SHIELD Act compliance mandates.
What is the NY SHIELD Act? - New York stop hacks and improve electronic data security
Senate Bill 5575, more commonly referred to as the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, was enacted on July 25, 2019 as an amendment to the General Business Law and the State Technology Law updating the breach notification requirements to impose stronger obligations on businesses handling private information and personal information in an attempt to mitigate threats that contribute to identity theft.
Section 2 of the bill amends the title of article 39-F of the General Business Law. Section 3 of the bill amends section 899-aa of the General Business Law.
What is personal information?
The NY SHIELD Act defines “personal information” as any data about a natural person can be used to identify that individual, including name, number, personal mark, or other identifiers.
How is personal information different from private information?
While “personal information” is vague, The NY SHIELD Act defined “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account.
The SHIELD Act defines private information data elements as:
- Social security number
- Driver’s license number or non-driver identification card
- Account number
- Credit or debit card number in conjunction with:
- Security code
- Access code
- Any other information that permits financial account access
Account, credit card or debit card number if such number permits financial account access without additional identifying information
Biometric information defined as data generated by electronic measurements of an individual’s unique physical characteristics including but not limited to:
- Voice print
- Retina or iris scan
What is the NY SHIELD Act's definition of a data breach?
The NY SHIELD Act shifts the definition of data breach to “unauthorised access” to personal and private, moving away from “unauthorised acquisition of” data. By focusing on unauthorised access, the law more broadly defines data breach, increasing an organisation’s liability.
Who does the NY SHIELD Act apply to?
The NY SHIELD Act follows the tradition started with the European Union General Data Protection Regulation (GDPR) establishing the extraterritorial definition of a responsible party as “any person or entity with private information of a New York Resident, not just to those that conduct business in New York State.”
As with many of the other up-and-coming legislative mandates in the United States, the New York legislature is attempting to force organisations into creating data security and privacy safeguards by increasing cybersecurity compliance requirements.
What is identity governance and administration (IGA)?
Identity Governance (IG) falls under the broader heading of Identity and Access Management (IAM) and involves the orchestration of policy-based user identity management and access controls during the access request and access certification process, also called provisioning, to meet regulatory compliance requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). To comply with the requirements, many organisations choose Identity Governance and Administration (IGA) solutions to help manage user access, including privileged access, that streamline data privacy and security processes.
As organisations increasingly incorporate Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) services, they no longer retain full control over their IT infrastructure. In fact, this lack of control now shifts the perimeter to identity. To create a holistic data privacy and security compliance program, you need to start by creating an IGA program that ensures you know who accesses what resources while controlling how, why, and when they access them.
What are the NY SHIELD Act identity governance and administration compliance requirements?
As part of “reasonable security”, the NY SHIELD Act requires organisations to:
The NY SHIELD Act updates the previous breach notification law security requirements with the language, “require reasonable data security for private information, with a more flexible standard for small businesses, without creating new requirements for entities subject to existing or future regulations by any federal or other New York State government entity.”
- Identify reasonably foreseeable internal and external risks
- Assess the sufficiency of approved reasonable safeguards in place to control the identified risks
- Assess risks in information processing, transmission, and storage
- Protect against unauthorised access to or use of private information during or after the collection, transportation and destruction, or disposal of the information
- On a positive note, the regulation provides at least two small caveats:
Individuals cannot sue companies in civil court
- “no private cause of action” is available
- All action is taken by the New York State Attorney General
No notification is required if:
- The access was an “inadvertent disclosure by persons authorised to access private information,” and
- The responsible party deems that the exposure will not likely result in the misuse of the information or no financial harm to the affected persons will occur
Although this appears to be a sliver of hope in an otherwise overwhelming update, the “persons authorised to access private information” statement focuses on the need to create appropriate access controls that go beyond “access to a data storage, processing, or transmission” location. Not all users authorised to access your systems, software, and networks should have the ability to access all information. This distinction between information access and broader systems, software, and networks access means you need to create detailed access controls that limit to “least privilege necessary” and maintain those controls.
What is access control?
Access control means creating user credentials, maintaining an access management program, and continuously monitoring user access to ensure compliance with the organisation’s authorisation and authentication control policy. Logical access controls protect data privacy and security by limiting an identity’s access to business systems, networks, and software across on-premises, hybrid, or cloud IT infrastructure using either role-based access controls (RBAC) or attribute-based access controls (ABAC).
What is access control in computer networks?
Network access control is a protocol for network security that requires authentication, authorisation, endpoint security, access policy enforcement, access management, and identity management to ensure that users and devices accessing computer networks, systems, data, and resources maintain compliance with your security policy.
When the NY SHIELD Act discusses “authorised access,” it refers to a variety of network access controls. For example, an authorised user in your marketing department should be able to access resources such as a shared drive or a marketing tool. However, that same user does not need access to customer financial information. Thus, if you store financial information in a different database than potential sales leads, the marketing department users should only be authorised to one database.
In the healthcare industry, network and resource access needs to be limited so that lab clinicians can only access the information needed to process the lab samples. They do not need access to a patient’s entire electronic medical record (EMR).
In both these examples, the excess access could be considered a data breach under the NY SHIELD Act which is why IGA and Identity and Access Management (IAM) become driving data privacy and security controls.
How intelligent analytics streamline NY SHIELD Act compliance
Under the NY SHIELD Act, you are responsible for any unauthorised access to information. This update means that you need to create a risk-aware IGA program that enables your users to do their jobs while also limiting their access to “least privilege necessary.” However, as organisations create digital transformation strategies, they find themselves struggling because new technologies increase the number of access points and change the definition of “identity.” Moreover, a complex IT infrastructure may lead to different definitions for roles and groups which makes monitoring access difficult. Automation with intelligent analytics can ease many of the access and identity management burdens facing many organisations.
Managing new types of identities
IaaS, PaaS, and SaaS ecosystems incorporate a variety of new non-person identities such as robotic process automation (RPA), Internet of Things (IoT) devices, serverless functions, workloads, containers, and service accounts. An automated tool that enables you to create identities for these types of entities should also enable monitoring to ensure appropriate access controls, such as succession management and segregation of duties (SOD) violations.
Reconciling identity definitions
Using intelligent analytics, automation can create a standardised identity warehouse for all identity and access definitions across your ecosystem. These tools compare the definitions provided by various services, then role-mine for similarities so you can create an authoritative source of identity. Standardised definitions provide visibility into how users access information to help protect from unauthorised access such as privilege misuse.
Enforcing risk-aware policies
The authoritative identity source establishes risk-based, context-aware rules within your automated tool, so you can more easily enforce them to meet NY SHIELD Act compliance. Intelligent analytics compare access requests to policies, then automatically alert you to potential violations. The automated tool can suggest remediation actions to prevent unauthorised access.
Having an authoritative identity source streamlines the provisioning/deprovisioning process. Using an IGA solution with intelligent analytics can set timebound rules or provide alerts about potential compliance violations, such as excess or unauthorised access. Further, automated tools help prevent unauthorised access such as orphaned accounts or excess access when users join, move within, or leave the organisation. Finally, the right automated tool enables you to create and monitor non-person identities such as APIs, RPAs, workloads, servers, and containers to maintain NY SHIELD Act compliance.
Reviewing user access requests
The access request/review/certification process often leads to unauthorised access arising from overwhelmed IT administrators and managers who automatically approve all requests or “rubber stamp” requests. Under the NY SHIELD Act, an organisation can determine that the unauthorised access posed no risk to the individual. Using intelligent analytics and automation allows you to create risk-based, context-aware access controls that use best practices ABAC. Using these policies, intelligent analytics can create designated approver notifications, delegation rules, SOD rules, and escalations that streamline NY SHIELD Act compliance.
Documenting NY SHIELD Act compliance
Identity analytics continuously monitor your ecosystem for anomalous access requests which allow you to prove governance over your access controls. By applying your access policies across your ecosystem, you can manage the identity lifecycle with risk-aware request escalations that require someone in the organisation to purposefully review the request. Since the NY SHIELD Act allows organisations to set a risk tolerance, automation with risk-aware policies enables you to provide the documentation necessary for proving compliance.
Karen Walsh, J.D., product marketing manager, Saviynt