NY SHIELD Act Compliance for Nonprofits

Let’s start with the good news.

States within the USA are starting to implement privacy regulations to protect our individual data. As individuals, this is good for us. As leaders of nonprofits, small businesses, or any entity that collects data as part of doing business, these laws add new responsibilities and potential liabilities.

New York passed the (awkward acronym award winner) “Stop Hacks and Improve Electronic Data Security Act” (SHIELD) Act on October 23, 2019, and the law went into effect in March of 2020. The NY SHIELD Act applies to organizations that collect personal data belonging to anyone who is a resident of New York State, whether that person is a constituent or employee. The law applies to any organization, but makes some allowances in how “reasonable” is defined for organizations that have less than $3 million in annual revenue or fewer than 50 employees.

The SHIELD Act is one of the more clearly written of recent privacy laws. Here is what SHIELD requires for compliance as it pertains to cybersecurity:

“...reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature, and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” - SHIELD Act

Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most responsible for the legal “reasonableness” standard was, no joke, named “Learned Hand”). For purposes of “reasonable” cybersecurity measures, the FTC provides this language:

“Employing reasonable safeguards to protect the confidentiality, integrity or availability of data given the type, amount and sensitivity of that data in relation to the size, sophistication, and capability of the organization.”

Below we outline what exact cybersecurity measures need to be in place in your organization if you are collecting private information in New York.

Requires “reasonable” cybersecurity measures be in place, as follows:

1. Administrative Safeguards
• Designate one or more employees to coordinate the security program.
• Identify internal and external risks.
• Train employees on security program practices.
• Select service providers capable of maintaining appropriate safeguards and require those by contract.
  
  
2. Technical Safeguards
• Assess risks in network and software design and information processing, transmission, and storage.
• Detect, prevent, and respond to attacks or system failures.
• Regularly test and monitor the effectiveness of key features of the security program.
  
  
3. Physical Safeguards
• Assess risks associated with information storage and disposal
• Detect, prevent, and respond to intrusions.
• Protect against unauthorized access to or use of private information during or after collection, transportation, or destruction of information.
• Dispose of private information within a reasonable amount of time.
  
  
4. Defendify
• Defendify by RoundTable provides the definition of “reasonable measures” for cybersecurity:
• Designate one or more employees to coordinate the security program. A point person is assigned as an administrator of the Defendify control panel and works with RoundTable to complete health check-ups, review reports, prioritize recommendations, and plan and execute remediations.
• Identify internal and external risks. Defendify provides the following services: Stolen password scanning, phishing simulations, website security scans, and external network scanning.
• Train employees on security program practices - Defendify provides training videos (and tracks who watches them and how well they do on the post-video quizzes), performs monthly phishing, and of course, we provide live training.
• Detect, prevent, and respond to attacks or system failures - RoundTable’s centralized antivirus solution, plus Defendify’s scanning services satisfy the defend and protect aspect. The incident response plan and technology and data use policy creation tools outline the response to attacks.
• Network scanning and phishing simulations satisfy the “regularly test and monitor the effectiveness of key features of the security program” requirement.
  
  
5. Internal to Your Organization:
• Have a vendor due diligence process in place to require all business partners to be in compliance with SHIELD.
• Protect against unauthorized access to or use of private information during or after collection, transportation, or destruction of information.
• Dispose of private information within a reasonable amount of time.
• Your organization will need to identify what information is collected, and how it is transmitted, stored, and disposed of.