Thu, Nov 7, 2019

NY SHIELD Act Compliance - Three Key Steps Toward Reasonable Cyber Security

In the past two years, Kroll’s Cyber Risk practice has worked with many corporate clients to assess their data collection policies and provide recommendations to ensure compliance with new data privacy and breach notification legislation such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act is the latest in a growing list of state legislature enacted to reduce the compromises of individual’s personal data exposed from data breaches. According to, in the first six months of 2019 there have been over 3,800 documented data breaches resulting in the exposure of more than 4 billion records, most of those being email and passwords. While reading about the breach du jour can make many consumers complacent regarding the protection of their personal data, state law makers are concerned about the corresponding financial losses potentially associated with these breaches. It’s estimated that cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

Until the federal government enacts a superseding law to help protect U.S. residents from data breaches, states have taken it upon themselves to help combat this epidemic. The NY SHIELD Act (effective as of March 21, 2020) is one of the more aggressive data breach notification laws and will apply to any corporation (not just New York-based) that collects and maintains New York residents’ “private information.” To remain compliant with the NY SHIELD Act, businesses must implement reasonable safeguards to protect the “private information” they collect and maintain on their networks from data breaches.

The NY SHIELD Act and similar legislature should be a wake-up call for businesses to assess their cyber security strategies and ensure compliance when collecting consumers’ personal and private information. This law reinforces the necessity of cyber security professionals, who are responsible for protecting New York residents’ data, to institute requisite cyber security policies, administrative measures and technical safeguards.

First Reasonable Security Steps

The Center for Internet Security’s (CIS) top 20 critical controls provides a solid framework to build a strong cyber security strategy. Implementing the top 20 critical controls will establish the foundational and organizational measures necessary to secure the confidentiality, integrity and availability of the data on a company’s network. These controls account for:

  • Administrative necessities of maintaining an inventory of assets (hardware/software) on the network, mobile device management and use of administrative privileges;
  • The technical measures of email and web browser protection, defenses for malware and data recovery capabilities; and
  • The proactive/preventative steps of security awareness training, incident response planning and penetration testing to secure the network.

While these are only some of the criteria included in the top 20 CIS controls, by prioritizing the implementation of these security measures a company will not only make significant strides towards obtaining strong cyber security overall, but also comply with the “reasonable data security” standard defined in the NY SHIELD Act.

Kroll’s Cyber Risk practice recommends several proactive steps to meet the “reasonable data security” standard defined in the NY SHIELD Act.

Step 1 – Data Mapping

Entities striving to become compliant with the “reasonable security standard” defined in the NY SHIELD Act should engage in an exercise of data mapping. This legislation is focused on protecting the private information of New York residents that is collected and stored on entities’ networks. These entities must create a process to identify the type of private data collected and stored on their networks, how that data is being utilized and implement controls to restrict certain access to it. This critical step will allow an entity to develop cyber security strategies to protect the “private information” entrusted by NY residents.

In the video below you can hear Jonathan Fairtlough, Managing Director in the Cyber Risk practice, discuss the importance of data mapping and fundamentals of a data inventory, from the types of questions to be asked to the role of a data inventory in the event of a cyber attack. This is a crucial step in the road toward the NY SHIELD Act compliance: 

Step 2 – Cyber Security Maturity Risk Assessment

A cyber security risk assessment includes a detailed review of an entity’s information security program from policies and procedures to technical controls. A risk assessment will factor in any unique circumstances, as well as risk tolerances and the threat landscape. A risk assessment will identify gaps and vulnerabilities based on industry accepted frameworks and provide mitigation measures which can be implemented to defend against modern cyber security threats.

Step 3 – Penetration Test

A vulnerability scan and penetration test will provide a controlled third-party attempt to gain access to a client’s network from the internet simulating a “real-world” attack. The purpose of the penetration test is to identify the path a malicious attacker would take to compromise the organization. These tests further expose vulnerabilities that would allow attackers to gain access to the network from external sources and identify their ability to move laterally and acquire or compromise sensitive data. A penetration test will identify gaps – whether administrative, procedural or technical – that would allow an attacker to gain access to a client’s network, but provide remediation measures to reduce those vulnerabilities.

At the conclusion of these three initial steps, you should have a map to identify the threats targeting the data on your network, the administrative, procedural and technical vulnerabilities currently exposing that data and the recommended measures to implement to achieve reasonable safeguards. However, it is highly recommended that companies seek the help of experienced legal and technical professionals to assess compliance levels and validate cyber security maturity. As the regulatory environment evolves, so should your strategy.

End-to-end Cyber Risk Guidance

Kroll’s Cyber Risk practice has the resources to support your business at every stage of this process – from data mapping exercises, to third-party risk management programs, to breach notification and identity monitoring services. We have helped organizations assess their risks and recover from cyber incidents and data losses of all sizes and complexity for nearly two decades. Our clients rely on the vast experiences of Kroll’s cyber experts to guide them through the process of assessing their current security status and making recommendations to build a strong cyber security strategy.

Our global team of cyber experts stands ready to answer your questions and provide guidance to implement measures necessary to comply with the NY SHIELD Act and similar data breach legislation. You can reach our experts 24x7 via [email protected].


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.