The aptly named SHIELD Act is an expansion of New York State’s data breach law and General Business Law. SHIELD stands for “Stop Hacks and Improve Electronic Data.” Once the SHIELD act is implemented, businesses that operate in New York (including businesses based outside of the state) will have to update their definitions of private information, broaden the scope of what mandates the notification of a breach, and increase their protections to comply with new cybersecurity standards.
Failure to comply with the act can result in a $5000 dollar fine, and an actual data breach can cost much more and damage its reputation. The act was signed by Governor Andrew Cuomo on July 26th, 2019, and the deadline for compliance is March 21st, 2020.
This kind of overhaul is no small task for any business, especially those unaccustomed to more rigorous standards of cybersecurity. The act covers “any person or entity with the private information of a New York resident…” which significantly broadens the scope of who must comply with the act. The size and scale of your business will affect the scale of the data security program you are required to launch. Any businesses with fewer than 50 employees that have generated less than $3 million in revenue in the last three fiscal years can tailor their program to their size.
What Exactly Qualifies as “private information”?
Under the SHIELD Act, private information Includes:
- Username or email address in combination with a password or security question and answer that would permit access to an online account
- Social Security numbers
- Driver’s license or non-driver identification card numbers
- Debit or credit card numbers
- Biometric information; fingerprints and other information used for authentication beyond a password
What Should my Data Security Program Cover Under the SHIELD Act?
The act specifies that businesses address these 3 areas:
- Reasonable administrative safeguards – who has access to the data and who is coordinating training for the staff on its protection
- Reasonable technical safeguards – assessing the risk of the network and software, information processing, transmission, and storage and planned response to system failures, regular tests, and the monitoring of the effectiveness of key controls and system procedures
- Reasonable physical safeguards – the business risk of info storage and disposal, detection and response to intrusions, protection against unauthorized access to or use of private info during and after collection, transportation, and destruction or disposal of private information within a reasonable amount of time after it is no longer needed for business purposes
The pace of technology demands an increase in the vigilance of any business’s cybersecurity, and the SHIELD Act is designed to address this need. Businesses in compliance with these new standards will decrease the vulnerability of our collective data, and more consumers and employees can rest easy knowing that their information is as secure as possible.
Of course, understanding the benefits of such an act and the proper implementation of practices to comply are two very different things. Assessing how vulnerable your current business is to a data breach, addressing this vulnerability, and strengthening the future of the cybersecurity of your business, is an exhaustive and potentially expensive process. Cybersecurity is a full-time job, and one where a trusted IT partner’s experience can allow you to concentrate on your business instead of securing it.
New York is not alone in its goal to increase the quality of cybersecurity within its borders. Massachusetts, Rhode Island, and California have already passed similar legislation. Thanks to high profile data breaches in the past few years it is unlikely that this kind of legislation will slow down. Don’t let your business get left behind.
How Do I Comply With the SHIELD Act?
Compliance with the SHIELD act, though intimidating, is not impossible. The services we provide to clients are based on our philosophy of network design with a concentration on stability and security. When we onboard new clients, we have thorough processes in place to do accomplish every step the SHIELD act outlines. Data protection, security best practices, and staff training are at the core of our service offerings.