Effective March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security Act (or SHIELD Act) aims to protect the data privacy of New York residents. Businesses with NY clients must comply by implementing administrative, technical, and physical safeguards. Failure to comply can result in irreparable damage to your business reputation and steep fines. Read below to find out if you need to comply and if so, how to achieve compliance.
Common SHIELD Act Objections
Here are some common reasons businesses have for not complying with this new law:
“We don’t store any information”
Under this law, a breach is defined as unauthorized acquisition or access to personal & private information of any NYS resident. This information includes basic employee & customer identifiers that you probably have such as names, driver’s license numbers, and Social Security numbers. More information on what constitutes as personal and private information can be found in our post, How to SHIELD Your Customers.
“We don’t accept credit card payments”
Payment Card Industry Data Security Standard (PCI DSS) applies to businesses that handle credit card payments. The NY SHIELD Act is an entirely separate security law that aims to protect the data privacy of New Yorkers.
“My company isn’t located in New York”
This mandate increases the number of precautions any business with New York customers or employees needs to take in order to safely maintain personal and private information, regardless of physical office location.
“We have cyber insurance”
Cyber insurance is a great thing to have. However, many policies do not cover future profit losses or the cost to upgrade your technology to prevent subsequent breaches. It also cannot repair the damage to your business reputation when you experience a breach due to NY SHIELD Act non-compliance. The best course of action is to do everything you can to avoid a breach in the first place.
How to Comply
Safeguard Implementation
The introduction of these safeguards ensure compliance with the NY SHIELD Act.
- Administrative Safeguards
- Designate employees to coordinate the cyber security program
- Identify internal and external risks
- Assess existing safeguards
- Train employees on security best practices and procedures
- Contractually ensure third party service providers maintain appropriate security safeguards
- Frequently adjust the security program to adapt to business changes
- Technical Safeguards
- Assess risks associated with your network, software, and information processing/transmission/storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of cyber security processes and procedures
- Encryption validation for both data at rest and data in transit
- Physical Safeguards
- Assess information storage and disposal risks
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to private information
- Proper disposal of private information
Other Compliance Standards
You may already comply with the NY SHIELD Act if your business currently complies with any of the following standards below:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Gramm-Leach-Bliley Act (GLBA)
- NY DFS Cyber Security Regulation (23 NYCRR 500)