Attention all Businesses who Collect Private Information on New York residents:

Is your Company in Compliance with The NY State Cybersecurity Regulations?

One of the biggest threats to your business these days is your compliance with the NY Stop Hacks and Improve Electronic Data Security (SHIELD Act) - or lack there of!

The SHIELD Act requires businesses to develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data.

The SHIELD Act Impacts New York Businesses Across Industries

Back in the spring of 2019, the New York legislature passed Senate Bill 5575, the Stop Hacks and Improve Electronic Data Security Act, aka the SHIELD Act.

The SHIELD Act impose specific cybersecurity requirements and applies to any person or business that owns or licenses computerized data, which includes private information of New York residents including biometric data, unsecured health information, financial account numbers and email addresses along with corresponding passwords or security questions and answers.

SHIELD Act Cybersecurity Requirements

Similar to the CCPA and the GDPR, the SHIELD Act expands liability to any organization that collects private information of New York residents, regardless of where it was collected. This means that an organization does not necessarily have to conduct business in New York in order to come under the purview of the SHIELD Act.

By expanding the definitions of “breach” and “private information,” the SHIELD Act has significantly expanded New York’s data breach notification laws. The expanded definitions, in effect, create more instances where a business would be required to notify New York residents of a data breach.

Under the NY SHIELD Act, a Cybersecurity Program must coincide with best practices that support:

  • Information Security
  • Access Controls and identity management
  • Business continuity and disaster recovery planning
  • Security and Personnel Training
  • Security of information systems
  • Network Security
  • Periodic risk assessments
  • Internal reporting and auditing
  • Data Encryption and Protection
  • Threat Feed Detection
  • Incident Response Plans
  • Multi-Factor Authentication
  • Vendor/Third-Party Risk Assessments

The SHIELD Act defines private information data elements as:

While the SHIELD Act defines “personal information” as “any data about a natural person that can be used to identify the individual, it defines “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account.

Penalties for Non-Compliance

The SHIELD Act will be enforced by the New York Attorney General. The Attorney General can take action in court against a business if the business violates certain parts of the Act. As of the middle of 2019, the Attorney General’s office has fined over $600M related to data breaches.

The Attorney General must act within three years of becoming aware of a violation (including where the business notified the Attorney General of the breach directly).

Fines can be issued under the Act issued where a business has failed to properly notify people affected by a data breach. The fines will be a civil penalty of either:

  • $5,000, or
  • $20 per violation (i.e., per person who was not properly notified of the breach), up to a maximum of $250,000

The Attorney General will issue whichever of these two penalties is greater.

Motiva penalties dfs

Overview of the SHIELD Act

In order to meet the 2021 deadline, companies should take necessary steps to ensure that they are in compliance with the SHIELD Act. These steps include:

Data Mapping

A process must be implemented to identify the type of private data collected, how it is being stored, and if that information is being utilized. A process then must be put into place to control and restrict certain access to all PII.

Cybersecurity Audit

A technology audit is vital to identify where you are vulnerable of being hacked, which will allow us to provide the appropriate precautions and install the proper preventive measures to defend against any cybersecurity threat.

Penetration Testing

A test designed to see where your vulnerabilities lie, how hackers gain access to your network's sensitive information, and result in gaining valuable information to take the most appropriate course of action.

Providing Notice of a Data Breach

If a data breach occurs, the SHIELD Act requires a business to communicate directly with the people who have been affected by the data breach, and also to inform public authorities with the appropriate type of data breach notice.

What Counts as a Data Breach? Rather than “data breach,” the SHIELD Act uses the term “breach of the security of the system”. This can cover situations where a system has been compromised but it isn’t clear whether data has been accessed or acquired.

Whenever you have notified individuals about a data breach, you’ll also need to notify these public authorities:

  • New York State Attorney General
  • New York Department of State
  • New York State Office of Information Technology Services

Not ready to call us just yet? Claim Your FREE Copy Of The Report.

E-book cloud

6 Critical Facts Every Business Owner Must Know about The NY’s SHIELD Act: Data Breach Notification Law

The SHIELD Act expands the definitions of a breach and private information, and requires businesses to have controls in place for breach prevention.