New York SHIELD Act: New Data Protection Requirements Set to Take Effect
New York SHIELD Act: New Data Protection Requirements Set to Take Effect: Are you ready?
Do you have information of a NY resident? If so, you might need to be in compliance with the SHIELD Act.
The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law during 2019 and is set to completely take effect on March 21, 2020. This law is following other states such as California in setting more stringent data protection standards. This law enhances the consumers protection of private information, while holding businesses accountable. Specifically, the law states the requirement for the notification of a breach and the controls which are required to be in place by each business.
Who does the law apply to?
The law covers all individuals, employees, and/or organizations that have a customer(s) or collects information of a in New York Resident. This is regardless if the company is based in another state or country.
How does the Law classify “Private Information”?
Private information is any individually identifiable personal information (name, number, or identifier) that is in combination with a social security number, driver’s license number, non-driver ID card. Financial information such as account number credit/debit card, in combination with any security code, access code, password or other information that would permit access to the financial account is also private information under the Act. This would include information such as biometrics (fingerprint), which is used to access the private information.
What does the law require?
It requires that “any person or business which owns of licenses computerized data which includes privation information of a resident of New York, shall develop, implement and maintained reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, the disposal of data”.
What are the reasonable safeguards?
- Administrative safeguards: written and coordinated security program, identification of reasonable and foreseeable internal or external threats, assessment of safeguards in place to control identified risks, employee training, service provider safeguards and oversight, ongoing review and evaluation of the security program.
- Technical safeguards: assessments of risk associate with network, information processing, software development. Ability to detect, prevent, and respond to attacks and regularly test and monitor the effectiveness of key controls, systems, and procedures.
- Physical Safeguards – Assess the risks associated with information storage and disposal, protect against the unauthorized access to and/or use of private information during or after the collection, transportation and destruction or disposal of information, and detect, prevent and respond to intrusions.
Does the law allow for exemptions?
Yes, a small business exemption is in place for those small businesses with less than 50 employees, less than $3 million in gross revenue each of the last three years, or less then $5 million in year-end total assets. Additional exemptions are in place for those companies which are required to be in compliance with HIPPA or GLBA, such as financial institutions.
What are the penalties for non-compliance?
Organizations which do not comply with the breach reporting requirements can be subject to a $250,000 penalty by the attorney general. The act also authorizes civil penalties of $5,000 per violation.
What should you do next?
The full law notes several items businesses should take to address compliance. We have highlighted a number of the items which will assist in ensuring compliance and reducing the risk to your organization.
- Review, update and/or implement appropriate policies and procedures to safeguard the private information and to detect and respond to incidents, including those around vendor access and utilization. Someone should be designated to coordinate the security program.
- Understand your data and systems which contain the private information. A data mapping and system / data classification can assist in determining the location and types of data you possess.
- Institute reasonable safeguards to protect the private data, including hardware and application management, network security controls, patch and vulnerability management, encryption, and end user security controls (secure email, spam / virus filtering, removable device restrictions, mobile device management, web content filtering, etc).
- On-going employee awareness and training.
- Regularly assess and reviews of the environment by utilizing an independent party for an objective analysis.
Herbein + Company, Inc. can help establish and maintain a Cybersecurity Program that complies with the SHIELD Act requirements. We have a dedicated team to assist with your information and cyber security program. For additional information contact: Jeff Johns, CISA, CRISC at info@herbein.com.