Starting on March 21, 2020 New York State will be enacting the SHIELD Act (Stop Hacks and Improve Electronic Data Security), which expands New York State’s data breach notification law and imposes stricter data security requirements on businesses that hold the private information of New York State residents. This affects you regardless of whether your business has a physical presence in NY State.

What to Know About the SHIELD Act

The SHIELD Act will impose specific cybersecurity requirements on businesses. The Act says that in order to achieve compliance businesses that own or license computerized data that includes “private information” of New York State residents must implement a “data security program” that includes the following safeguards:

Administrative

• Designation of one or more employees to set up the security program
• Identification of probable foreseeable external and insider risks
• Appraisal of existing safeguards, workforce cybersecurity training, and
• Selection of service providers experienced in maintaining appropriate safeguards and requiring those safeguards by contract

Technical

• Risk assessments of IT network
• Information processing and software design
• Transmission and storage, enforcement of measures to detect
• Avert and respond to system failures, and regular testing and monitoring of the effectiveness of key controls

Physical

• Evaluate risks of information storage and disposal
• Identify, prevents and responds to intrusions
• Protects against unauthorized access to or use of private information during or after the collection, transportation and disposal of the information
• Properly discard private information within an appropriate amount of time after it is no longer needed for business purposes

Penalties for Non-Compliance

The Act increases the potential civil penalties for breach notification law violations to up to $20 per instance of failed notification (capped at $250,000), and imposes new civil penalties (up to $5,000 per violation, with no cap) for certain failures to comply with the data security program requirements. As of the middle of 2019, the Attorney General’s office has fined over $600M related to data breaches.

Next Steps to Achieve Compliance

• Organize and implement a data security program that is compliant with the SHIELD Act’s requirements.
• Appoint or hire a specialist to oversee the data security program.
• Conduct regular data privacy and security training for all new and current employees.
• Assess and alleviate data security threats caused by employees and other insiders.
• Ensure that records containing the private information of New York State employees and candidates are promptly destroyed in a secure manner after the applicable retention period ends.

Net at Work can help establish and maintain a Cybersecurity Program that complies with the SHIELD Act requirements. Contact us today to ensure your business is SHIELD Act-compliant.