Contact us  |  Client area  |  Consultant area  |  Careers  |  Newsletter sign up  |     United States
GLOBAL CERTIFICATION BODY
Home / Resources / Blog
  • IMPLEMENTING ISO SECURITY AND PRIVACY FRAMEWORKS TO MEET THE NEW YORK SHIELD ACT


  • 10 March 2021
  • What are the common challenges that organizations encounter when facing new regulatory requirements applicable to their business?
  • The common challenges are:
  • 1. How does the organization ensure that it fully meets the regulatory requirements?
  • 2. How does the organization demonstrate to external stakeholders, such as clients and regulators, that the regulatory requirements have been met with reasonable assurances?
  • This article aims to answer these questions as it applies specifically in complying with the New York SHIELD Act by implementing ISO 27001 and ISO 27701 standards. However, this methodology can also be applied to any other security and regulatory privacy requirements.
  • What is the New York SHIELD Act?
  • On March 21, 2020, the data security provisions of New York's Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") went into effect.
  • The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York ("covered business") to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and availability of the private information.
  • With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more comprehensive data security. It updates its existing data breach notification requirements.
  • What is considered to be "private data under the NY SHIELD Act"?
  • Unlike many other states that use the term "personal information" to define the data set to be protected, the SHIELD Act uses the term "private information" to refer to the key data elements protected under the statute. Businesses that complied with the breach notification law in New York before the SHIELD Act should become familiar with the law's expanded definition of private information.
  • The SHIELD Act defines "private information" the same way for both the breach notification and the data security protection requirements. Private information is, in part, a subset of "personal information." Whereas, personal information is "any information concerning a natural person which, because of name, number, personal mark, or other identifiers, can be used to identify such natural person."
  • What is ISO/IEC 27001 and ISO/IEC 27701?
  • ISO/IEC 27001 is an international standard on how to manage information security by implementing an Information Security Management System (ISMS); whereas, ISO/IEC 27701 is an international standard that builds upon the security framework by implementing a Privacy Information Management System (PIMS).
  • How does the organization ensure that it fully meets the NY SHIELD ACT requirements?
  • The SHIELD Act does not mandate specific safeguards. Instead, it guides businesses on how to be deemed compliant if it implements a "data security program" that includes reasonable administrative, technical, and physical safeguards enumerated in the SHIELD Act.
  • To ensure that the data security program is acceptable to relevant internal and external stakeholders, the organization should consider aligning it with international standards. Hence, implementing ISO 27001 and ISO 27701 helps achieve this mission.
  • Below are detailed examples of how ISO Framework serves as a guideline to meet the specific safeguards referenced in the NY SHIELD Act.


  • Get industry insights delivered straight to your mailbox
  • Sign up to InTouch here
  • Give us a call
  • Connect with us

We use cookies on our website to ensure you get the best experience. Learn more
Accept