Electronic Data Security Act (SHIELD)
The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD) requires businesses to responsibly safeguard any personal information collected on New York residents through data security best practices. The goal is to protect the security, confidentiality, and integrity of personal information.
Effective as of March 21, 2020 (with compliance enforcement beginning 240 days afterward), the act is designed to augment the New York State Information Security Breach and Notification Act. It includes an updated definition of personal information and data breaches, and more businesses are affected by the new policy.
Consequences for Non-Compliance
If you fail to implement appropriate security measures for NY SHIELD Act compliance, there are consequences. These penalties could include:
- Paying up to $5,000 per violation and injunctive relief.
- Liability for actual losses by a person that’s entitled to notice.
- Penalties of either $5,000 or $20 per instance of failed notification, with a $250,000 maximum fine.
- Submitting written notice to the New York Attorney General if the personal data of over 500 New York residents has been compromised due to your lack of compliance (the notice must be submitted no later than 10 days following your determination of non-compliance).
* These penalty amounts have been increased from the previous act.
Personal Data and Data Breaches as Defined Under SHIELD
Private information under the NY SHIELD Act, outside of obvious personal data such as names and addresses, could include:
- CREDIT CARD AND DEBIT CARD INFORMATION
- SECURITY QUESTIONS AND ANSWERS
- DRIVER’S LICENSE OR ID NUMBERS
- SOCIAL SECURITY NUMBERS
- BIOMETRIC INFORMATION
- USERNAME AND EMAIL
- ACCOUNT NUMBERS
The definition of a data breach has been updated as well. The definition now includes unauthorized access to personal information. Prior to SHIELD, consumers were only notified if an unauthorized entity stole their information.
Now, careless employee action, including unauthorized access to personal data, is considered to compromise data security just as much as external theft and will require companies to notify victims.
Who Must Comply?
Under the New York State Security Breach and Notification Act, only companies doing business in New York were required to maintain compliance.
Now, under the SHIELD Act, any individual or organization that collects, owns, or sells private information of a New York resident must comply with the standard. It doesn’t matter if your company is based in the state of New York or not.
Does the NY SHIELD Act impact your business? Solvere One’s IT professionals help you understand everything you need to know about New York SHIELD Act compliance.
Measures to Gain Compliance
Companies that collect private information on New York residents must have reasonable protective measures in place to gain compliance.
The SHIELD Act covers three main areas, including:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
While the act doesn’t give specific measures to take, it does give examples of what appropriate data security practices might look like for an organization to attain NY SHIELD Act compliance, including:
- REQUIREMENTS FOR VENDORS TO RESPONSIBLY HANDLE AND DISPOSE OF DATA
- APPOINTING STAFF MEMBERS RESPONSIBLE FOR DATA SECURITY
- HAVING A DISASTER RECOVERY STRATEGY IN PLACE
- MANAGING ACCESS TO PERSONAL INFORMATION
- DATA DISPOSAL POLICIES
- VULNERABILITY TESTING
- EMPLOYEE TRAINING
- NETWORK SECURITY
- RISK ASSESSMENTS
Not sure which measures are appropriate for your business? The best way to attain compliance with the NY SHIELD Act is to take advantage of managed security services from a provider who specializes in data security policies such as SHIELD.
We Help You Gain Compliance and Reduce Risk
If you’ve not yet gained compliance with the New York Stop Hacks and Improve Electronic Data Security Act and you collect private information from New York residents, you could be penalized.
It’s unrealistic for many companies to expect in-house staff to implement all the data security best practices SHIELD recommends. Even if you have an in-house IT team, our experienced IT professionals at Solvere One can supplement your talent to fully implement SHIELD requirements by the enforcement deadline and avoid penalties.
We begin by thoroughly assessing your risk and creating a plan to put these security practices into action as soon as possible. We help you correct any vulnerabilities in your networks or current practices and reduce your risk for security breaches. Our services allow you to decrease the chances that any private information you collect would be compromised by either an internal or external attack.
Working with a managed services provider such as Solvere One for your New York SHIELD Act compliance can help alleviate the stress of gaining compliance within the timeline and keep your staff focused on what they do best. We handle the details and become an integral part of your in-house team to meet your data security goals and fully comply with SHIELD requirements.
If you collect and process private information from New York residents, you must comply with SHIELD. Solvere One can help you gain compliance and continue to meet the growing standards of these security policies. Contact us today at (202) 905-2722 to get started!