Get Ready to Comply with the New York SHIELD Act
It’s finally here… 2020 – the fresh start of a new year. For most of us, the start of a new year, and especially the start of a new decade, prompts us to step back and reflect on the past – looking at how we did, whether or not we managed to reach our goals, and resolve to do better in the coming days. For the average business owner, it’s a great time to do the same on a professional level. This year is especially important because cybercrime is evolving at a rapid rate, and unfortunately, we saw many local and national businesses fall victim to a range of threats, including ransomware, phishing attacks, and more.
New York’s SHIELD Act, Which Stands for Stop Hacks and Improve Electronic Data Security, Comes Into Effect on March 21, 2020.
If you haven’t made a resolution yet, complying with this new data privacy law is a great place to start. On March 21, 2020, the NY Shield Act comes into effect – impacting businesses all over the world that use and store information belonging to residents of the state. This means that even those who aren’t local may be required to make significant changes to the way they store, access, and share sensitive information belonging to residents of the state.
Governor Andrew Cuomo signed the SHIELD act into law on July 15, 2019. Attorney General Letitia James noted when the bill was passed, “This bill is an important step forward, providing greater protection for consumer’s private information and holding companies accountable for securing that data.”
What Significant Changes Will Be Necessary Under New York’s SHIELD Act Come March 21, 2020?
The SHIELD Act requires companies to better protect sensitive information belonging to residents of the state. Under the SHIELD Act, the definition of a breach has been expanded to include any sort of unauthorized access to digitized data that may compromise the integrity, security, and confidentiality of private information. In addition, the definition of private information has been expanded to include:
- Social security numbers
- Credit or debit card numbers
- Driver’s license numbers
- Financial account numbers with or without security codes
- Biometric information
- Username/email addresses with passwords
Lastly, the safeguards required to protect private information have been expanded as follows:
1. Administrative safeguards must include a designated employee or team to coordinate the cybersecurity program wherein:
- A thorough assessment of internal and external risks must be performed.
- Sufficient safeguards to control the risks identified must be implemented.
- Employees must be trained on proper security protocols and best practices.
- Third-party vendors must be vetted thoroughly and meet cybersecurity standards.
2. Technical safeguards must be implemented to safeguard all private information against unauthorized access. Risks should be identified on the network, software, and information storage processes, then a solution must be deployed to detect and respond to attacks or failures of any sort.
3. Physical safeguards must be deployed, including solutions that protect against unauthorized access of information at rest or in transit, as well as solutions that ensure the disposal of information within a reasonable timeframe after it’s deemed no longer necessary.
Don’t Forget the Breach Notification Amendments That Came Into Effect on October 23, 2019…
As you’re preparing to be in compliance before March 21, 2020, don’t forget the breach notification amendments that came into effect on October 23, 2019. The SHIELD act updates definitions already in place and expands the existing laws regarding breach notifications. Basically, any information exposed requires the business to notify all affected individuals via the following methods:
- In writing (via email or letter)
- Over the phone
- Another notification method, such as through the media
All breaches must be announced without reasonable delay – meaning as soon as it’s noticed. If the breach impacts more than 500 residents, written determination of the breach must be provided to the state attorney general within 10 days. If the breach impacts more than 5,000 residents, the state attorney general will determine which consumer reporting agencies the breach must be reported to and request that you provide the timing, content, and distribution of the notices, as well as the number of affected individuals, to those agencies.
Not Ready to Comply? The NY SHIELD Act Increases Existing Penalties for Data Breaches – Up to $20 Per Incident of Failed Notification with a Maximum of $250,000.
Globalquest is here to help you avoid the costly instance of a data breach. We know that a data breach has far-reaching consequences – resulting in a loss of customer trust, reputational damage, and of course, potential fines and penalties. We’ve been supporting the information technology requirements of businesses across the state since 2014. Get in touch with us as soon as possible.
Call (716) 601-3524 to Work with Western New York’s Leading IT Services Provider. We Specialize in Cybersecurity to Keep Your Private Information Safe Against Threats.