Are You Ready To Comply With The SHIELD Act?
On July 25th, 2019 Governor Cuomo signed into law the “Stop Hacks and Improve Electronic Data” Security Act, or (SHIELD) Act for short. The law introduces new requirements for issuing notifications to New York state residents whose electronic protected information was exposed in a security breach and holds accountable any company that does business with the state’s residents.
Here is what you need to know.
Let’s Take A Closer Look At What Is New
The Shield Act expands data security and breach notification requirements to cover any business that holds, leases and/collects private information (PII) on New York state residents, regardless of where that business is located.
It changes the definition of a security breach. Previously the state’s data security law only considered the unauthorized acquisition of PII to be a data breach. Now notifications have to be sent to affected individuals if any data was accessed by an unauthorized party.
It expands the definition of Private Information (PII) as well. Identifiers now include biometric information (such as fingerprint, voice print, retina image or other unique biometric identifiers), and username or email address, in combination with a password or security question answer that would allow access to an online account.
What Are the New Data Security Requirements?
The SHIELD Act does not provide a detailed outline of what is required. It does, however, specify a range of measures that include administrative, technical and physical safeguards.
Highlighting a few of the most important ones:
- Designate one person to coordinate your security program
- Conduct risk assessments to help identify reasonably foreseeable risks to data security
- Implement safeguards to protect against these risks (such as encryption, 2FA, breach detection software, anti-virus and patching management)
- Set up ongoing cybersecurity awareness training for employees,
- Implement strict data access policies, and
- Select vendors that can maintain appropriate safeguards to protect against unauthorized access.
The implementation deadline was March 21st, 2020.
Entities required to comply in full compliance with cybersecurity regulations under HIPAA/HITECH and GLBA/NYDFS are automatically “deemed to be in compliance” with the Shield Act’s “reasonable safeguards” standards.
However, incident response plans should include the new notification requirements as these will affect every organization regardless of already existing business vertical regulations.
How Is the Act Being Enforced?
The New York State Attorney General has been authorized to enforce both injunctive relief and penalties for failure to implement reasonable cybersecurity – even in the absence of a data breach – for up to $5000 per violation.
Breach notification violations can result in fines of up to $250,000.
That the state means business is clear. By August 2019 the Attorney General’s office levied fines of more than 600 million dollars related to data breaches!
How Can We Help?
The introduction of the SHIELD Act will have a significant impact on businesses that hold Private Information of New York state residents. If cybersecurity has not been a top priority in your business so far, this new act is making it one. Identifying information subject to the law, and assessing security risks need to be a first step in the compliance efforts. Followed by the implementation of updated data security practices and breach notification policies.
If this seems complicated and a lot of work we can help manage and simplify the process for you.
Reach Out to Meeting Tree Computer, Your Hudson Valley SHIELD Act Cyber Security Consulting Company.
Contact us now at 845-237-2117 or use an option on our contact page for a customized security assessment.
Our team is prepared to assist you every step of the way and we look forward to working with you!