What Is the New York State SHIELD Act?
Are you doing business in New York? Is your business compliant with the New York State SHIELD Act?
On March 21, 2020, the Stop Hacks and Improve Electronic Data Security Act, commonly known as the SHIELD Act, went into effect. Signed into law in July 2019, the SHIELD Act requires any business or person owning or licensing computerized data that includes a New York resident’s private information to implement and maintain reasonable cybersecurity measures to protect the confidentiality security, and integrity of the private information.
Check out our latest video to learn about the SHIELD Act:
What Does Private Information Entail?
Private information could be:
- An email address or username in combination with a security question and answer or password that gives access to an online account.
- Personal information concerning a person that can be used to identify such a person because of name, personal mark, number, or any other identifier.
This data may include their social security number, debit or credit card number, driver’s license number in combination with a password, access code, or security code that would give access to a person’s financial account.
Are There Any Compliance Exceptions for Small Businesses? Before the SHIELD Act, there were no exceptions for small businesses in the breach notification law. The SHIELD Act’s data security obligation defines a small business as an organization that:
- Has less than fifty employees.
- Has less than three million US dollars annual revenue in each of the past three fiscal years.
- Has less than five million dollars in total year-end assets, calculated following generally accepted accounting principles.
A small business is only deemed compliant with the SHIELD Act security requirements if the business implements a cybersecurity program that includes reasonable technical, administrative, and physical safeguards.
For each safeguard, the act outlines procedures or actions a business should consider implementing.
Reasonably Administrative Safeguards:
- Designating one or more employees to coordinate the company’s security program.
- Identifying reasonably foreseeable external and internal security risks.
- Assessing the sufficiency of the safeguards in place to mitigate the identified risks
- Managing and training employees in the security procedures and program.
- Selecting and contracting service providers who are capable of maintaining appropriate safeguards.
- Updating and adjusting the security program to meet your changing business circumstances.
Reasonable Technical Safeguards:
- Evaluating risks in software and network design.
- Assessing risks in information transmission, processing, and storage.
- Detecting, responding to, or preventing system failures or attacks.
- Regularly monitoring and testing the effectiveness of critical security controls, procedures, or systems.
Reasonable Physical Safeguards:
- Assessing risks of information storage and disposal.
- Detecting, responding to, and preventing intrusions.
- Protecting against unauthorized access or use of private information during the collection, transportation, destruction, or disposal of the information.
- Disposal of private information within a reasonable time frame once it’s no longer needed for business purposes.
- Erasing electronic data in a way that it cannot be reconstructed or read.
A business is also required to be compliant with the SHIELD Act security requirements if the business is subject to the following data security regulations:
- The Health Insurance Portability and Accountability Act (HIPAA).
- The Health Information Technology for Economic and Clinical Health Act (HITECH).
- The Cybersecurity Requirements for Financial Services established by New York’s Department of Financial Services.
- Other data security regulations and laws.
What Costs Are You Likely to Incur If You Don’t Comply With the New York State Shield Act? Businesses that are non-compliant with the SHIELD Act are liable for the civil penalty of up to 5,000 dollars per violation.
To avoid these penalties, your company should implement and maintain acceptable cybersecurity practices.
Are You Looking for a Reliable I.T. Partner to Help You With Compliance?
Do you have any questions regarding the SHIELD Act, or are you thinking of compliance? At Buffalo Computer Help, we offer years of expertise and experience in providing compliance solutions to businesses in Buffalo and Western New York.
Consult with us today or call us on (716) 206-3200 to get familiar with the SHIELD Act compliance and ultimately become compliant.