In New York, the SHIELD Act went into full effect on March 21st, 2020.
Is your business SHIELD Act compliant?
The New York Stop Hacks and Improve Electronic Data Security Act was signed by New York Governor Andrew Cuomo on July 25th, 2019 and went into full effect March 21st, 2020.
If you aren’t sure whether the SHIELD Act applies to your business, reach out to our team of Subject Matter Experts.
No matter what your unique needs are, we offer a custom-built Compliance as a Service package that will make it easy for your organization to achieve and maintain compliance.
What is the New York SHIELD Act?
The first 6 months of 2019 reported 3,800 publicly disclosed data breaches as reported by Forbes, exposing 4.1 billion compromised private records. It’s clear that data breaches are on the rise, and consumers want better protections — and New York State is taking their concerns more seriously.
The SHIELD Act updates New York’s current cyber-security laws. More specifically, it strengthens and expands upon data security and data breach notification requirements on companies who collect information on New York residents. Under this Act, organizations and individuals who collect private computerized data must implement and maintain reasonable administrative, physical, and technical safeguards.
The SHIELD Act raises the bar for consumer protection and victim notification. It holds any company accountable that does business within the state of New York, or that even collects information on NY residents. The new law expands consumer protections and notifications, and similarly imposes harsher punishments on businesses who do not comply with the Act.
What changes under the SHIELD Act?
The SHIELD Act introduces 4 major changes:
- A broadened definition of “private information”, which now includes biometric information, username/email address in combination with a password (or security question and answer), and debit/credit account numbers in combination with any security numbers.
- An expanded definition of a data “breach”. Previously, a breach was defined only as unauthorized acquisition of computerized data. Now, a crime is committed as soon as data is unlawfully accessed.
- An expanded territorial scope so that any business owning/licensing private information of a New York resident must comply, regardless of the company’s location.
- Imposed data security requirements. Under this Act, companies are required to adopt reasonable administrative, physical, and technical safeguards.
Whom exactly is affected by the SHIELD Act?
Every New York consumer is affected by the strengthened protections of the SHIELD Act.
Beyond that, the SHIELD Act has expanded the territorial scope of protections. Previously, the law was limited to companies or individuals who conducted business in the state of New York. Now, however, a company that has any customers in New York is affected – regardless of whether the company is based in another state or another country.
Any medium- and enterprise-sized company with even one New York customer needs to implement this new policy, and take reasonable measures in imposing security safeguards.
What are the strengthened data security requirements under the SHIELD Act?
The SHIELD Act outlines a number of specific administrative, physical, and technical safeguards to be implemented and maintained.
- Internal and external risk assessments must be conducted.
- One or more employees must be designated as responsible for the coordination of security programs.
- Employees involved in the security program must be properly trained in practices and procedures.
- A capable service provider must be selected and require safeguards by contract.
- Security programs must be adjusted in light of business changes or new circumstances.
- Risk assessments of information storage and disposal must be conducted.
- Intrusions must be detected, prevented, and responded to.
- Protections must be put in place against the unauthorized access (or use) of private information during or after its collection, transportation, and destruction/disposal.
- Private information must be disposed of within a reasonable amount of time after it is no longer needed for business purposes.
- Risk assessments must be conducted within the network and software design.
- Risk assessments must be conducted in information processing, transmission, and storage.
- Any attacks or system failures must be detected, prevented, and responded to.
- Regular tests must be conducted in order to monitor and maintain the effectiveness of key controls, systems, and procedures.
Does your business have these administrative, physical, and technical safeguards in place? Reach out to one of our Subject Matter Experts to perform an in-depth risk assessment of your data security standards. We’ll help you figure out exactly what you’re missing.
What happens if my company doesn’t comply with the SHIELD Act?
The New York State Attorney General can seek up to $250,000 for violations by a company who is found not in compliance with the SHIELD ACT. This is up from the previous statute of $150,000.
The number of reported healthcare data breaches increased 36.1% between 2018 to 2019 – from 371 reported breaches in 2018 to 505 reported breaches in 2019. This marked 2019 as the worst-ever year in terms of the number of reported healthcare breaches.
As a business, it’s more vital than ever to avoid incredibly costly fines and protect the private electronic information you collect.
What can I do to make sure I’m ready for the SHIELD Act?
The New York SHIELD Act is already in full effect, and your organization needs to assess its data security standards, making any adjustments as necessary to comply with the new law.
Reach out to us any time to chat with an expert about eVero’s Compliance as a Service options, and how we’ll customize them specifically for your business. We’ll quickly determine all the steps necessary to get you compliant with the New York SHIELD Act today.
Published originally February 27th, 2020 | Updated May 17th, 2020
Written by Jessica Zarrillo