What are the penalties for failing to comply with the SHIELD Act?
Failing to comply with the New York SHIELD Act can be very expensive for you and your company. Before knowing what the penalties are, it is important to know what the SHIELD Act is. Updates of The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was implemented on March 21, 2020, by New York State. This protects and regulates the data security of New York State residents. Any business or organization that deals with the private electronic data of New York State residents must be compliant with the New York State SHIELD act. The primary purpose of the SHIELD Act is to impose more expansive data security. With more business transactions occurring online, protecting electronic customer data is critical. The New York State SHIELD Act offers new rules and compliance regulations to ensure client electronic data is properly protected.
What does it mean to be SHIELD compliant?
Companies are compliant if they implement reasonable administrative, physical, and technical safeguards. The SHIELD Act suggests ways in which to ensure compliance:
- Designate individual(s) responsible for security programs;
- Conduct a risk assessment process that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
- Train and manage employees in security program practices and procedures;
- Select capable service providers and require safeguards by contract; and
- Adjust program(s) in light of business changes or new circumstances.
- Assess risks of information storage and disposal;
- Detect, prevent, and respond to intrusions;
- Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.
- Assess risks in network and software design;
- Assess risks in information processing, transmission, and storage;
- Detect, prevent, and respond to attacks or system failures; and
- Regularly test and monitor the effectiveness of key controls, systems, and procedures.
Not having any of these safeguards in place could lead your company to be in breach of the SHIELD Act.
So, what are the penalties for non-compliance?
Without following the suggested guidelines set in place by the SHIELD Act, your company could be in “breach of the security of the system” or in “breach of the notification requirement”. The Attorney General could raise the action on violations and obtain civil penalties. For data breach notification violations that could have occurred unknowingly, the court could award damages for actual costs or losses incurred. However, for known and reckless violations, a person or company could be charged with penalties of $5,000 per record or violation, but no more than $250,000.
The cost of penalties is not worth the small cost to work with the best IT company in Western New York, Globalquest. Let Globalquest make sure you have all the safeguards in place to be SHIELD compliant. Call us or send us an email today!