A CEO’s Guide to the New York Shield Act
Graeme Freeman, Co-founder and President of Freeman Clarke recently spoke with one of our Directors in NYC, James Sharp, about the NY Shield Act and what it means to mid-market CEOs.
This summary of their conversation forms a simple FAQ about the Act and its implications for ambitious CEOs.
What is the NY Shield Act?
Graeme Freeman: Jim, can you please start by giving a simple summary of the NY Shield Act?
James Sharp: Very simply, the law expands data security and breach notification requirements to cover any business that collects private employee and customer data of New York residents. The law requires businesses to implement and maintain reasonable safeguards to protect the security and integrity of private information.
Graeme: So, just to clarify, the law applies to any company in any state that stores data about residents of New York State.
Jim: That’s correct. It’s a law that exposes you to heavy fines regardless of where your business is based.
Graeme: And this law has been passed?
Jim: Yes, it’s live. All businesses needed to be compliant by March of 2020.
Graeme: So what are the key points about the new law, and what does the CEO of a mid-market business need to do?
Jim: Well the key points are very simple. You need to take reasonable steps to protect private information and to report any breaches; this is not complicated. But the CEO isn’t going to configure the firewall, install the software and write the password policy. So the business question is: what steps should the CEO take to ensure his or her business doesn’t end up with a fine?
“The business question is: what leadership steps should the CEO take to ensure his or her business doesn’t end up with a ruined reputation and a disastrous fine?”
James Sharp, Regional Director, Freeman Clarke
What leadership steps should the CEO take?
Graeme: Right, so what are the CEO’s actions to get compliant with the NY Shield Act?
Jim: The first action is very simple: start by ensuring that roles are clear. At the very top, a single member of the Executive Team needs to have overall accountability and the senior leaders need to meet regularly, perhaps every quarter, to discuss corporate data security. If you don’t have the expertise in the organization to lead such a committee, then you need to get it.
Graeme: OK, that’s where we come in.
Jim: Correct!
Head-in-the-sand management?
Graeme: If the exec team haven’t really bought into this, how can the CEO galvanize them into action?
Jim: Well one good way to start is to get the team together to workshop scenarios. How might a security breach occur? How are we mitigating this? How would we respond? Most likely you will surface of lot of unanswered questions and a lot of “head in the sand management”.
Graeme: When you say “head in the sand management” you mean leaders in the business who don’t really understand this area so ignore it?
Jim: Yes! The members of the exec team are busy, under pressure, and they stick to what they know. Cybersecurity must be someone else’s problem.
Is this just a lot of paperwork to keep the lawyers happy?
Graeme: Once the roles are clear, what happens next?
Jim: To comply with the law you need to have a security plan consisting of corporate data policies and procedures regularly updated and published to the employees? And you need a comprehensive training program in place to support the knowledge transfer of the policy?
Graeme: Is this just a lot of paperwork to keep the lawyers happy?
Jim: If you just create a lot of paperwork, you’re doing it wrong, and you still won’t be secure. Time and time again CEOs believe their organization has a data security plan in place, but in reality the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously. Most breaches happen as a result of basic ignorance or people not caring.
“Time and time again CEO’s believe their organization has a data security plan in place but in realty the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously.”
James Sharp, Regional Director, Freeman Clarke
How to make cybersecurity planning genuinely valuable
Graeme: So how do you make this genuinely valuable rather than box ticking?
Jim: The policies need to be practical, the training needs to be engaging, and there needs to be a genuine leadership commitment to making this work. If people know the basics and take this seriously then you will very likely not have a breach – it’s as simple as that. Most hacking is not very sophisticated. If you get the basics right you will probably be OK. The thing is that most companies don’t.
Graeme: What are the basics?
Jim: You need visibility into how your company’s private data is being accessed, modified, moved and deleted as well as understanding who in the organization has access to it. These actions combined with a real time security system that allows the company to generate reports and notifies the appropriate people in the event of a breach are important actions to gain compliance to the Shield Act.
What are the 5 practical action steps a CEO needs their IT team to take to insure compliance to the NY Shield Act?
Graeme: What are the five practical action steps a CEO should take tomorrow to insure compliance to the NY Shield Act?
Jim: Step 1 is Data discovery and classification. An organization can only protect their private data if they know what private data they have and where it is located. There are a number of commercial tools that will automatically discover and classify a wide range of personally identifiable information (PII), including social security numbers, driver’s license numbers, bank account details, passport numbers, and more.
Step 2 is Implement a data retention policy. Only collect and store private data if it is absolutely necessary. Organizations must ensure that they have a data retention policy in place which details what data they will collect, how, and for how long they will keep it. The policy should also include details about how data should be disposed of when it is no longer required.
Step 3 is Implement an access control policy. Organizations must have an access control policy in place, which determines who should have access to what data and why, and they will need to keep an up-to-date inventory of all access controls that are assigned.
Step 4 is Adopt a real time alerting platform. In addition to monitoring changes to access controls to protect against “privilege escalation”, organizations must also monitor all access to private data and make certain they have a notification alert system in place. If a user account is accessing private data in a way that is not typical for that particular user, a real-time alert should be sent to the relevant staff for immediate review.
Step 5 is Use an advanced reporting console. Most data security platforms provide an advanced reporting console, which enables administrators to quickly and effortlessly generate reports that can be sent to the supervisory authorities, as and when required. Most solutions provide a wide range of pre-defined reports that are customized to satisfy the relevant compliance requirements.
Cultural Change and Training
Graeme: How does the CEO make this important to the organization to ensure it actually happens?
Jim: Very simply, the CEO and all the senior leaders need to show by their own actions that this matters and to demonstrate compliance and good practice themselves. There needs to be training for everyone and they need to be seen to be committed and serious about this.
Graeme: And how does the CEO get independent assurance that this has all been done correctly?
Jim: The plan needs to include regular, perhaps annual, testing and assessment by independent professionals. And independent means not your existing MSP or the people who setup your security!
”Freeman Clarke Principals bring real life experience and leadership talent to help mid –market companies’ establish a strategy and insure it is executed properly”
James Sharp, Regional Director, Freeman Clarke
Midmarket Business Cybersecurity Crisis Planning
Graeme: And what does the CEO need to do about crisis planning?
Jim: You need a simple, flexible crisis management plan that is actually useful in the unlikely event it’s ever needed. The plan should focus on clarity about authority, escalation paths and the technical, legal, public relations and investor relations teams required for true crisis management.
In the meantime, see our Cybersecurity and Compliance Knowledge Center