What Is The New York State SHIELD Act?
The New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act came into full effect on March 21st, 2020. It expands the definition of “private information” and what comprises a data breach. The Act also outlines security requirements for organizations that own or license New York residents’ private information.
Does it apply to businesses in New York only? NO. As long as you handle any New York resident’s computerized private information, the act requires you to protect its integrity, privacy, and security — regardless of your location. Breaches attract civil penalties of up to $5,000/violation.
Watch this short video to get started:
How Does the New York State SHIELD ACT Define “Private Information”?
As pointed out earlier, the SHIELD Act expands what’s considered personal information to include:
- Usernames and email addresses. These go hand-in-hand with any applicable logins, i.e., passwords or security questions that can be used to access an online account.
- Biometric data like a user’s fingerprint, iris or retina image, or a voiceprint.
- Bank account numbers and credit/debit card numbers as long as they can be used to access the user’s financial account without extra identification credentials.
What’s a “Data Breach” According To The New York State SHIELD Act: Initially, a data breach only constituted the ‘unauthorized acquisition’ of private information. However, the SHIELD Act has further introduced ‘unauthorized access’ to this definition. So, how do you determine whether data has been illegally accessed or not? The Act outlines specific guidelines that “include indications that the information was viewed, communicated with, used, or altered by a person without a valid authorization or by an unauthorized person.”
In case of a data breach, you must appraise all the concerned parties. The Act, however, has an exception to this requirement if it’s an authorized individual who unintentionally made the disclosure. Even then, your organization must make a reasonable determination that the said disclosure “will not likely result in misuse of such information or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” Such determinations must also be written down and maintained for a minimum of five years.
How Can You Ensure Your Organization Stays Compliant With The New York State SHIELD Act? Your business should design, deploy, and maintain a data security program inclusive of “reasonable administrative, technical, and physical safeguards.”
Reasonable Administrative Safeguards:
- You must have an individual/team managing your security programs. They should be experts in the identification and aversion of potential cybersecurity threats, both external and internal.
- You must regularly assess and test the effectiveness of your security measures.
- You must conduct regular cybersecurity training for your staff.
- You must have responsive security programs that adjust to your changing environments.
- You must select service providers with expertise in maintaining the requisite safeguards.
Reasonable Technical Safeguards:
- You must regularly evaluate your software and network design for vulnerabilities.
- Conduct risk assessments for systems that store, process, or transmit private information.
- Invest in systems that will help you detect and avert potential breaches and to respond aptly in case of one.
- Monitor and regularly evaluate your primary controls, procedures, and systems.
Reasonable Physical Safeguards:
- You must properly dispose of any computerized private information that’s no longer needed. This includes, but is not limited to, destroying all electronic records so that the data may not be reconstructed.
- You must also protect against unauthorized access to private information during collection, use, storage, and even after disposal.
For small businesses, the Act demands “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” To qualify for this exemption, you must be an individual or organization “with (i) fewer than 50 employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in total year-end assets, calculated as per generally accepted accounting principles.”
Are You Compliant With The New York State SHIELD Act?
Violations of this Act by covered businesses are regarded as deceptive practices. The New York Attorney General may penalize you up to $5,000 for every breach.
EasyIT understands that this is a relatively new concept, and you may find it challenging to grasp. You can always call us at 614.339.4999 for more information and help to comply with this Act.