What is a good cup of coffee worth to you? A few bucks – maybe a bit more if it’s from your favorite shop? How about your privacy? It happened to tens of thousands of Dunkin’s customers in 2015 after a successful cyberattack and is why regulation such as the NY SHIELD Act exists.
For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill
A settlement was announced in September of 2020 involving the notification of affected customers, refunds of unauthorized transactions, and protection against future attacks. It also included an additional $650,000 in penalties and costs – a fraction of the company’s reported sales in 2015. Dunkin can survive a scenario like this, but what about the majority of small businesses without safeguards in place? Probably not.
The NY SHIELD Act amends general business and state technology law concerning notification of a security breach. In other words, it’s a change in existing laws to safeguard your privacy. It requires businesses that own or license data that includes private information of New York residents to develop, implement, and maintain reasonable safeguards – and if a breach should occur, they contact anyone affected by it. The requirements aren’t limited to businesses based in New York, either. Any business storing the data of New York residents is subject to The SHIELD Act.
What type of information does The SHIELD Act cover?
If information can be tied to an individual and isn’t considered to be publicly available, it’s private information. Information covered under the act includes biometric data (fingerprints, voice data,) unsecured health information (data that hasn’t been rendered unusable to unauthorized persons,) financial account numbers, and email addresses along with corresponding passwords and security information.
If your business is storing any of this data, you need to take compliance seriously.
Implementing controls in your business
Under The SHIELD Act, a properly implemented program must be aligned with best practices that support access controls, security and staff training, network audits and threat prevention, multi-factor authentication, data protection, and 3rd party assessments.
These requirements may seem like an insurmountable goal as you’re reading them in a list but selecting the right technology partner can address many of these needs via a well-built cybersecurity program with relative ease.
What are the penalties for non-compliance?
The penalties for a breach and the failure to properly notify affected individuals can come with a steep price tag. Fines are a civil penalty of either $5,000 or $20 per violation with a maximum of $250,000.
Technology will continue to advance, and so will the numbers and level of sophistication of attacks designed to access your business’ data. Remote workers will be the focus of cyber criminals through 2021, potentially presenting risks across your remote workforce. Now is the time to put safeguards in place to protect your customers, reputation, and bottom line.
Want to learn more about The SHIELD Act, CCPA, and other forms of regulation that impact small businesses? Watch us as our team covers small business compliance throughout January:
Have a question about compliance and your business? Reach out to us during our live streams or get in touch today!