NY SHIELD Act Compliance Assessment

Evaluate compliance with New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, covering data security safeguards, breach notification, and private information protection

HealthcareBiotechFinanceTechnologyAll20 minutes20 questions

1. Scope & Applicability

Do you own or license private information of New York residents?*

SHIELD applies to any person/business that owns or licenses private info of NY residents

Have you implemented a data security program with administrative, technical, and physical safeguards?*

§899-bb(2): Reasonable data security program required for all covered entities

Is your data security program appropriate to the size, scope, and nature of your business?*

Risk-based approach: Small businesses have flexibility in implementation

2. Administrative Safeguards

Have you designated an employee(s) to coordinate the data security program?*

§899-bb(2)(a): Identify internal/external resources to manage program

Do you conduct risk assessments to identify reasonably foreseeable threats?*

§899-bb(2)(b): Assess risks to private information in all operations

Are security policies reviewed and updated at least annually?*

§899-bb(2)(e): Regularly review and adjust safeguards based on changes

Do you provide security awareness training for all employees?*

§899-bb(2)(c): Train staff on security program practices and incident response

Are employees with access to private information subject to disciplinary measures for violations?*

§899-bb(2)(d): Sanctions for violations ensure accountability

3. Technical Safeguards

Is private information encrypted in transit and at rest?*

§899-bb(2)(c): Encryption protects data during transmission and storage

Is multi-factor authentication (MFA) required for accessing private information?*

§899-bb(2)(c): MFA prevents unauthorized access with compromised credentials

Do you maintain secure access controls with unique user IDs?*

§899-bb(2)(c): Unique credentials enable accountability and access management

Are systems protected with up-to-date firewalls, anti-virus, and intrusion detection?*

§899-bb(2)(c): Protective technology prevents malware and unauthorized access

Do you monitor systems for unauthorized access and security events?*

§899-bb(2)(e): Continuous monitoring detects breaches early

4. Physical Safeguards

Are facilities containing private information secured with physical access controls?*

§899-bb(2)(c): Badge access, locks, security personnel protect physical assets

Is private information securely disposed of when no longer needed?*

§899-bb(2)(c): Shredding, wiping, degaussing prevent unauthorized retrieval

5. Breach Notification

Do you have procedures to notify affected NY residents without unreasonable delay (most expedient time)?*

§899-aa: Notify residents in most expedient manner without unreasonable delay

Do breach notifications include required elements (incident description, data types, contact info, mitigation steps)?*

§899-aa(6): Notice must describe breach, data compromised, and steps to protect individuals

Do you notify NY Attorney General and state regulatory agencies when required?*

§899-aa(8): Notice to AG required for breaches affecting >500 NY residents

6. Vendor Management

Do you select service providers capable of maintaining appropriate safeguards?*

§899-bb(2)(f): Vendor due diligence and security capability assessment

Are contracts with service providers requiring them to implement safeguards?*

§899-bb(2)(f): Contractual obligations bind vendors to security requirements

Please answer all required questions to see your results