Is Your Business Prepared for Compliance to the NYS SHIELD Act?
On July 26th, 2019, the Stop Hacks and Improve Electronic Security Act (also known as the SHIELD Act), was signed into law by Governor Andrew Cuomo. With the deadline for businesses to ensure their compliance looming, it is important for any and all businesses with the data of a New York State resident to understand exactly what is at stake.
By amending sections of the existing General Business Law and the State Technology Law, as well as introducing new sections within the former, the SHIELD Act is intended to protect the personal and private information of New York State residents.
The first thing that is important to understand is just how far this law can reach. It isn’t something that exclusively pertains to New York-based businesses… it pertains, again, to any business that has the private information of a resident of the state of New York.
Of course, this mainly applies to businesses that meet specific benchmarks… but that still doesn’t necessarily leave your organization out. The SHIELD Act manages to cover all bases with a few additional requirements.
Let’s go over what this might mean for you.
The SHIELD Act
As stated in the sponsor memo of Bill S5575B (which was the bill that introduced the SHIELD Act) the bill:
“...broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.”
What Information is Now Covered?
According to the new law, “personal information” entails any information that could be used to identify someone, including:
- Name
- Number
- Personal mark
- Any other identifier
“Private information” covers a few different considerations. Not only does it cover the combination of “private information” with any of the following data…
- Social Security Number
- Driver’s license (or any other identification card) number
- Account number and any needed access information to access a personal financial account
- Biometric information
- Username and/or email address combined with the credentials needed to access an account.
… it also expands the requirements that businesses who experience a breach must abide by in terms of notifying those whose information may have been compromised.
“Reasonable Safeguards”
If a small business possesses any of that information for a resident of New York, it must have “reasonable safeguards” in place to be compliant to this law. Compliance itself relies on a comprehensive set of requirements, pertaining to all safeguards and security processes that a business will have to undergo. This would include network assessments and risk prevention and detection.
This is where the size of a particular business comes into play. Technically, unless your business has more than 50 employees or generates more than $3 million in gross annual revenue, you only need to maintain data security measures that are appropriate to the scope of your operations. Most industry-specific regulations will overlap with the requirements of the SHIELD Act.
What Noncompliance to the SHIELD Act Could Cost You
To be blunt: a lot. Any organization that is not compliant with the SHIELD Act by the deadline could see civil penalties of up to $5,000 per violation.