What is the SHIELD Act?
Have you heard of the New York SHIELD Act? No, it doesn’t involve Nick Fury (unfortunately).
On July 25, 2019, Governor Cuomo signed Senate Bill S.5575B/A.5635, Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law. The SHIELD Act is an expansion on the existing NYS Information Security Breach and Notification Act. According to the Governor’s office, the SHIELD Act protects consumers by:
- Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers
- Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information
- Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State
- Expanding the definition of a data breach to include unauthorized access to private information
- Creating reasonable data security requirements tailored to the size of a business
The first part of this new law went into effect on October 23, 2019 and requires the recording of all data breaches.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure. The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
– Governor Andrew Cuomo
What information does it cover?
One of the most significant expansions of this regulation is that not only are businesses operating within NYS required to comply but also any businesses serving NYS residents, regardless of their geographical origin. If a business processes private information for any New Yorker, they must comply (even if the business itself isn’t located in NY). This means you may even need to comply with additional NYS regulations such as NYDFS if you service New York customers. Additionally, organizations must now provide breach notice to any affected individuals via:
- Written notice
- Electronic notice
- Phone notification, or another notification method (such as email, a public posting, or an announcement via statewide media)
This widens the audience unto which SHIELD is applicable and expands how a breach is defined. Previously, a breach was defined as improper acquisition of one’s private information. Under the SHIELD Act, a breach includes basic unauthorized access to private and personal information. How do we define what private and personal information are? Personal information is identified as “Any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person”. Private information includes financial account or personal identification numbers (credit card, SSN, etc.), online login information, unsecured protected health information covered under HIPAA, and thanks to the advancement of technologies in the 21st century, biometric data such as fingerprints or retina scans.
How does this impact my business?
Beginning March 21, 2020, part two of this amendment goes into effect, requiring businesses to have reasonable safeguards in place to protect consumer data. These safeguards include:
- Identifying possible risks to data security
- Choosing vendors that can maintain appropriate safeguards
- Swiftly detecting, preventing, and responding to attacks and system glitches
- Preventing unauthorized user access to private information
- Designating an employee to implement a strong security program
- Establishing and implementing a security training program
- Testing and monitoring implemented controls on a regular basis
- Disposing of private information in a reasonable time frame
ADKtechs provides several services to help your business follow SHIELD Act regulations including comprehensive risk assessments to identify vulnerabilities, review access controls & analyze existing security policies, employee security training, encryption services, security hardware, and much more.
What if I don’t comply?
Failure to comply could result in costly penalties which would have significant negative impacts on your small business. As a small business ourselves, we recognize that the penalties of non-compliance overshadow the upfront business investment to comply. Penalties for failing to fulfill data security requirements are capped at $5,000 per violation. Additional penalties exist for failure to notify clients of a breach ($5,000-$250,000).
Most local businesses can’t afford this. You can’t simply cross your fingers and hope for the best. You must take action. For this reason, we offer a variety of cyber security solutions built for all budgets.