If your business is in any way related to New York, or your customers are based in New York, you need to know everything about the SHIELD Act. The New York law “Stop Hacks and Improve Electronic Data” came into effect by 2020.
The act requires businesses to use measures to prevent the misuse or theft of personal consumer information. SHIELD law expanded the requirements for data breaches and security breaches, renewed the definition of breaches of security, and protected and protected a large set of personal information.
Overview of SHIELD law
In this section we will discuss how SHIELD law affects New York business and how it defines confidential information.
Under the SHIELD Act, there are four main categories of confidential information:
Financial Accounts – any combination of data items that can provide direct access to personal financial accounts. For example, a name or account number and a social security number or driver’s license number, as well as a password or security code.
Online Accounts – any combination of data objects that can provide direct access to an online account. For example, email address or username, and password or security code.
Credit Information – account number or credit / bank card number combined with personal information is sufficient to provide mediation access to the account. For example, name, address, account number, and answers to security questions.
Biometric Data – Biometric data such as fingerprints or retina images combined with personal identification information is sufficient to give access to an online account.
SHIELD law defines infringement as access to confidential information, not its discovery. This greatly expands the range of possible events such as data breaches. Even encrypted data may create a violation report, if a related encryption key is found. In the event of a violation of the law, companies must report the incident to state authorities.
How to comply with SHIELD law
The law requires a broad mandate, and requires that all companies operating in the state of New York have at least one data protection system that includes the following:
Companies can meet legal requirements by following a cyber security framework such as NIST or CIS.
For SMBs, the Act has provisions for small businesses to create a “good” information security system in relation to the size of their business.
They describe those businesses as companies with less than 50 employees and those whose income does not exceed $ 3 million over the past three years.
Failure to establish an affiliate security plan is punishable by up to $ 5,000 for each offense. Most importantly for MSPs and their clients, the Act allows for the freedom to punish companies that fall into compliance with the law. Avoid the high cost of non-compliance by taking the following steps: use appropriate precautions, choose at least one person to oversee the security system, and regularly assess the risk.
