Is Your Organization in Compliance with the SHIELD Act?

Has your organization heard about the passage of the SHIELD Act? Learn what it is, what you need to know, and what you will need to do to become compliant.  

In 2018, top security firms estimated that billions of Americans were impacted by data breaches. According to the numbers, 765 million Americans’ data was compromised during the months of April, May, and June. Cybersecurity incidents increased by 32 percent overall in 2018 from the previous year, with a 47 percent increase during the months of April to June. In response to growing concerns over the threat of data breaches and the compromise of sensitive consumer data, some states are passing tougher laws for organizations. The SHIELD Act became law in New York State on July 25, 2019. Designed to introduce stricter notification and security protocols, organizations can face significant financial penalties for non-compliance.

What Does the SHIELD Act Stand For?

The “SHIELD” portion of the law’s name translates to “Stop Hacks and Improve Electronic Data.” By expanding New York State’s existing data breach law, the Act aims to protect consumers from having their personal data compromised. Organizations will now be responsible for protecting the personal and private data of individuals. This applies to individuals that work for or conduct business transactions with the firms.

Notification Requirements

Under the new law, if a data breach occurs or consumers’ personal information is compromised, organizations are responsible for notifying the impacted individuals as soon as possible. Organizations must give notice by written or electronic means, through phone, and/or through a public announcement, website post, press release, or via a mass media announcement. If organizations currently use an outside IT vendor for network management, these vendors should not only be aware of the SHIELD Act, but should be taking measures to ensure organizations are in compliance and measures are in place to protect against cybersecurity attacks.

The definitions of private information and data breach are also expanded under the Act. Private information now includes biometrics, usernames, email addresses, passwords, and security questions and answers. Account numbers and credit card or debit card numbers are also included, even if these numbers can be used without additional codes or passwords. The definition of a data breach now includes unauthorized access of data that results in the compromise of the integrity, security, and confidentiality of private information, according to legal blogs. While the notification requirements went into effect October 23, 2019, the Act’s data security requirements are scheduled to take effect on March 21, 2020.

Data Security Requirements

Any individual or firm that either owns or licenses personal information of a New York resident must comply with both the notification and data security requirements. The data security requirements entail putting into place cybersecurity protocols. This means designing and implementing methods to safeguard the security, integrity, and confidentiality of personal and/or private information. Firms must demonstrate that specific methods are being carried out, including but not necessarily limited to employee and vendor training, assessing risks, vendor contract compliance, and properly storing and disposal of data. Penalties for noncompliance with the Act can be up to $250,000.

Ensuring Compliance

Organizations that hire IT managed services vendors should be engaging in conversations with those vendors to ensure compliance. Several measures can be taken to comply with the Act’s requirements. This includes implementing encryption, assessing risks and vulnerabilities, restricting access, and updating policies and procedures.