Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

One of the requirements of the New York SHIELD Act is that businesses must have in place reasonable safeguards to protect the security, confidentiality, and integrity of private information. As part of these safeguards, businesses are expected to have a security program that includes measures to manage the risks associated with third-party service providers.

Specifically, businesses are required to implement reasonable administrative, technical, and physical safeguards, which include:

This means that if a business shares the private information of New York residents with a third-party service provider, the business is responsible for ensuring that the service provider can and will maintain appropriate safeguards for that information. This is where third-party risk management comes into play under the SHIELD Act. Businesses need to assess the risks associated with their third-party service providers and take steps to manage those risks to comply with the Act.