SHIELD Act in NY State

The SHIELD Act takes effect in NY State on March 21, 2020. Do you know what it is and how it applies to your company?  

When working with a managed IT provider on Long Island, it’s important to choose the right company to work with. Companies such as Network Outsource work with clients on more than just repairing and maintaining their IT network. In today’s market, it’s just as important to secure the data that your business uses from theft and corruption. Recent mega-breaches have heightened concern about the security of data including personal information. Since it doesn’t seem as if the federal government is providing a solution, New York joined the growing list of states that are requiring security obligations on businesses.

What is the SHIELD Act in New York?

On July 26, 2019, New York’s governor signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which requires businesses in New York to implement safeguards for any private information belonging to New York’s residents, and broadens New York’s security breach notification requirements. Any business or organization that has employees in New York must comply with the SHIELD Act, because the private information used by human resources departments includes employee names and Social Security numbers.

Does the SHIELD Act Apply to Other States?

Businesses without a New York office may still be required to comply with the SHIELD Act, because the law applies to any business that has the private information of New York residents. This information includes driver’s license numbers, credit or debit card numbers, bank account numbers, biometric information, medical information, and user name or email addresses. Since the SHIELD Act is so broad, and that the requirements it imposes are relevant to human resources professionals as well as in-house employment counsel, every employer needs to learn about the SHIELD Act and its implications for their business.

What is Human Resources’ Role?

Employers that are in possession of any New York residents’ private information are required to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information,” according to the new law.

The SHIELD Act doesn’t mandate specific safeguards for employers to implement but instead provides that businesses will “be deemed in compliance with” the standard if it puts in place a data security program that includes the elements listed in the new law. Some of these elements that are relevant to HR are:

  • Designating employees to coordinate the data security program
  • Training and supervision of employees in the security program procedures and practices
  • Assessing risks and implementing controls to reduce them
  • Vetting service providers and binding them contractually to also safeguard private information
  • Destroying private information securely within a reasonable amount of time after is no longer needed

The HR team can play a crucial role in the implementation of the data security program and must ensure that anyone designated to administer the program has enough bandwidth to perform these responsibilities. All employee training is generally overseen by the HR department, so adding information security training would be a natural topic for HR professionals.

What Should Be Included in a Risk Assessment?

Risk assessments should focus on the technical threats, but also add any threats from negligent and malicious actors within the company. It’s typical for an HR department to outsource functions that include private information, so these vendors’ data security programs should be vetted as well as ensuring that contracts include information security terms. HR is also responsible for the secure destruction of private information belonging to any New York employees when appropriate.

Businesses with fewer than 50 employees or less than $3 million in gross annual revenues only are required to ensure that their data security safeguards are appropriate for the complexity and size of the business, the scope and nature of the business’ activities, and how sensitive the personal information handled is.

All businesses of any size that are in compliance with other regulations requiring information security including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, are deemed compliant with the SHIELD Act.

The SHIELD Act specifically states that it does not confer a private right of action but provides for enforcement by the New York state’s attorney general. The SHIELD Act‘s data security requirements take effect on March 21, 2020.