Raise Your SHIELD!
The first half of 2020 saw over 500 reported data breaches! This surge in attacks came as a wake-up call for many businesses, especially ones that store Personally Identifiable Information (PII), such employee or customer social security numbers. In an effort to curb these breaches and stringently provide protection to consumers in New York while setting higher standards for companies that serve them, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law in July 2019.
The SHIELD Act, which went into effect in March 2020, is an extension of the New York State Information Security Breach and Notification Act and broadens the scope of the already existing federal and state data protection regulations. It expands the data security and breach notification requirements in three major ways:
- It has changed the definition of breach from “unauthorized acquisition of private information” to “unauthorized access to private information.” Simply put, viewing, copying, and downloading is considered a data breach and should be reported immediately.
- The definition of PII has been expanded to include: biometric information, e-mail addresses and corresponding passwords, security questions and answers, and financial account numbers that don’t require any security code, in addition to the regular SSN, credit/debit card number, driving licence number, etc.
- It applies to any company, within or outside New York, which handles PII of New York residents.
The Act outlines administrative, technical, and physical safeguards that each company needs to put in place. The full Act covers a significant number of protocols to be set by companies, highlights of which are as follows:
- Conducting regular risk assessments related to IT, information storage and disposal, network and software designs.
- Proper planning and execution of employee awareness training programs.
- Monitoring the effectiveness of system controls and procedures.
- Carefully choosing vendors that can maintain and support these safeguards.
- Designating at least one person dedicated to coordinate the security program.
The SHIELD Act might sound like a Herculean task, but there’s a respite for companies falling under certain criteria. There are exceptions for small businesses with less than 50 people and $3 million in yearly revenue. Also, companies already compliant with GBLA, HIPAA, and 23 NYCRR 500 will be allowed exemptions under this Act. However, these businesses still have to implement reasonable security protocols depending on the size and complexity of their operations.
The New York State Attorney General, who is the enforcer for this Act, can seek up to $250,000 for non-compliance. But there is no capping on the penalties, so the fines can go higher depending on the level of the breach and misinformation. Just recently, the Attorney General penalised ShopRite and its parent company, Wakefern, in the amount $235,000 for improper disposal of electronic devices and putting thousands of consumers’ private data at risk.
While the SHIELD Act’s complexity and detailed rules might seem overwhelming, our compliance team is well-versed in the Act and can guide to get your SHIELD up.
Related Insights
All Insights
Our specialists are here to help.
Get in touch with a specialist in your industry today.