What is “Private Information” under the SHIELD Act?
If you have customers residing in New York State, even if your company is not in New York State, your business must be SHIELD compliant. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was implemented by New York State. This protects and regulates the data security and “private information” of New York State residents. Any person or business which owns or licenses computerized data of a New York State resident must implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that data.
Under the SHIELD Act, “private information” refers to key data elements. Private information is a subset of personal information, which is any identifying information concerning a person such as name, number, personal mark, or other identifiers. The SHIELD Act expands the definition of “private information” to include the following:
- Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
- social security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
- account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR
- a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
“Private information” excludes any publicly available information that has been lawfully made available to the general public. The SHIELD Act does expand the definition of “private information” to include medical and health insurance identifiers.
Who should you contact to be SHIELD compliant?
Being in breach of the SHIELD Act could cause violations that have heavy penalties attached to them. A court-imposed penalty could carry up to a $5000 fine for each violation but no more than $250,000. Make sure you hire the right IT company who understands the importance of protecting “private information” and knows the rules of the New York State SHIELD Act. At Globalquest, we can help you with all your business needs, including compliance. We are here to ensure that you continue to protect important sensitive data as outlined under the New York SHIELD Act, you remain compliant, and you stay away from violations and penalties. Give us a call, or send us an email, today.