If you run a business in New York, then you need to know about the New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act). It requires that businesses implement administrative, technical and physical safeguards to protect data from breaches.
What Is the NY SHIELD Act?
The NY SHIELD Act went partially into effect in fall 2019 and fully into effect in spring 2020. In full, it requires that businesses strengthen their security measures to mitigate data breaches and protect residents’ personal information, including that of NY employees and customers.
Although NY has ongoing data protection laws, the SHIELD Act broadens those laws to more fully protect and define personal or private information. It also increases breach-associated penalties. Under the act, businesses must have “reasonable” measures in place to reduce the chances of data breaches.
Advances in technology prompted the act’s passage. With sweeping access to technology and ever-changing cybersecurity threats, the act is meant to ensure businesses handle personal and private information with utmost care.
What Information Does the NY SHIELD Act Protect?
In essence, the SHIELD Act covers all NY residents’ personal and private information. Although the act doesn’t define “resident,” it notes the law applies to any entity (person, business, etc.) that handles NY residents’ personal or private data in digital form (Senate Bill S5575B).
Under the SHIELD Act, “private information” is a mix of personal information (name, number, identifier, etc.) and a data identifier. Here are a few examples:
- Social Security number
- Driver’s license number or other identification card number
- Financial numbers (credit and debit card numbers, etc.)
- Any information that would give someone access to a NY resident’s financial account/records
- Biometric identifiers
- Usernames, passwords and email addresses, plus security questions and answers that could grant access to personal information
- Health information
Who Needs to Comply With the NY SHIELD Act?
Any business that handles NY residents’ personal/private information in digital form must comply with the SHIELD Act by instituting a cybersecurity program.
The SHIELD Act affects most (if not all) NY businesses. It may also apply to businesses outside the state. In short, if you digitally store any personal or private information about a New York State resident (employees, clients, prospects, etc.) then it applies to you.
NY SHIELD Act Requirements
In summary, the SHIELD Act states that businesses must create, institute and maintain “reasonable safeguards” to protect NY residents’ personal and private data. Administrative, technical and physical safeguards must be in place to protect the security, confidentiality and integrity of the private information.
Administrative Safeguards
The first safeguard, administrative, requires that businesses must establish plans, policies, and procedures.
The business must have at least one employee who plans and implements a cybersecurity program. For this program, the designated employee(s) must evaluate security risks internally and externally and determine whether the business’s current safeguards sufficiently guard against any noted risks. Businesses must also educate, manage and monitor all employees who have access to the personal and private information that is stored.
Businesses must choose vendors that understand and can help them meet the cybersecurity program’s standards. If circumstances change, businesses must adjust the cybersecurity program accordingly.
Technical Safeguards
The second safeguard involves digital (technical) protocols.
The business’s cybersecurity program must have technical safeguards. This includes evaluating any potential data security risks in terms of the business’s software and network, as well as its data transmission, processing and storage activities.
Under its cybersecurity program, a business must watch for and attempt to prevent any system failures and cyberattacks. It must also have an ongoing system of detecting, preventing and responding to cyberattacks or system failures. Additionally, it must test and evaluate the efficacy of its in-place digital protocols and systems.
If you’re a business owner, it’s wise to have a dedicated IT team in place to proactively handle technical safeguards.
Physical Safeguards
The third safeguard requires tangible (physical) measures to protect personal/private data from breaches.
The business’s cybersecurity program must cover how it safely stores and disposes of personal/private data. It must also evaluate how it maintains systems. These maintenance tasks can include ensuring computers and servers have physical security measures in place (locked rooms, keypads, safes, etc.).
The business must ensure it can safeguard data as it is collected, moved and destroyed. It must also ensure it discards personal/private information (as well as systems storing personal/private information) securely after it no longer needs that data.
Checklist for Complying With the NY SHIELD Act
Here’s a brief checklist for compliance with the NY SHIELD Act. Make sure your business has all three safeguard areas covered.
Administrative
- Designate one or more employees to run a cybersecurity program.
- Identify both internal and external risks and reviewed the safeguard in place to control these risks.
- Train your staff on cybersecurity best practices, and do you do so on a regular basis.
- Ensured the vendors you use comply with the SHIELD Act and know they must do so.
- Put protocols in place so that you review and update your cybersecurity program periodically.
Technical
- Regularly evaluate the security of your network.
- Regularly assess how you safely transmit, store and dispose of data.
- Have a plan in place in the event of a data breach or cyberattack.
- Regularly test and monitor the effectiveness of key controls, systems and procedures.
Physical
- Have security systems such as locks, camera systems and authenticators in place to protect computers and servers from unauthorized access and theft.
- Have an established system to monitor, prevent and respond to intrusions at your business.
- Inform employees of the proper ways to secure and access data on-site.
- Have a system in place to ensure personal/private data is safe while it’s stored, moved and destroyed.
- Set a reasonable timeframe to destroy data that you no longer use or need.
Ensure Your Compliance With CMIT Solutions
At CMIT Solutions, we’re dedicated to providing the highest-quality IT security services and support. We specialize in helping small to midsize businesses succeed and keep their data safe.
If you’d like a consultation or help with understanding the NY SHIELD Act, call us at (585) 672-4114 or fill out our online form. We’ll get in touch.
Featured image via Unsplash