New York’s Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD) in July of 2019 and it became effective March 21st of 2020. This act made several changes to New York’s data security and breach notification requirements, including the requirement of certain proactive security improvements.
More...
A New York State of Mind
You’re probably saying to yourself “I don’t live in or have a business in New York so who cares?” It is important to know that several states including New York, California, and Massachusetts have been enacting far-reaching laws. These laws allow states Attorney General's to stretch outside their state allowing them to bring suits against companies who have information about their residents. Old Blue Eyes may not understand this stuff, but you certainly need to!
1. Start Spreading the News
The first, and arguably the most important change to the law is that it’s reach expands beyond New York state and applies to any entity that owns or licenses private information of New York State residents. This means that the SHIELD Act puts your business in its aim should you have a data security breach.
People often believe that a data breach is always a large event that includes leaking of millions of records. Unfortunately for you, that is not the case and this law is working to change what is considered a breach. See number 3!
2. I'm Leaving Today
Second, this law widens the type of personal information protected under it. The act defines “private information” as Social Security Numbers, Driver’s License numbers, Credit/Debit card numbers, financial account information, biometric information, and online account credentials.
This variety of information captures a greater variety of data than many other states’ laws including California and Massachusetts.
3. I want to be part of it
Third, the SHIELD Act adds some subtle nuance to the types of security events that are deemed a breach and when they must be reported. Under the law a breach has happened where unauthorized access or acquisition of data that compromises the confidentiality, or integrity of private information. Previously the law only covered acquisition of data, and not access.
This means that a ransomware attack on your business (where data becomes encrypted, but most likely hasn’t been copied or viewed) could likely be considered a breach under the SHIELD Act. Even more reason to make sure you are protected against Ransomware attacks!
4. New York, New York!
Lastly, the SHIELD Act requires companies to have a three-pronged standard for protecting personal information of New York state residents. In order to be compliant with this, companies must implement a security program that includes reasonable administrative, technical, and physical safeguards.
Generally, companies that adhere to other compliance acts such as HIPAA, GLBA, or PCI DSS would be considered compliant with the SHIELD Act. However, if a company fails to implement the appropriate safeguards under the law the New York Attorney General has the ability to pursue injunctive relief or civil penalties.
Key Takeaway
The important takeaway here is that regardless of where your business resides, the data that it collects about people is critical to understand and most importantly, protect! BITS has the tools and know-how to make sure that you have systems in place to maintain compliance as well as protect against Ransomware and other potential data breaches. Contact us today to learn more!