New York's SHIELD Act passed in July 2019 and it affects the way companies deal with the personal data of any New York resident. Do you comply?
What is New York's SHIELD Act and how does it affect your business?
That's a question that all businesses should answer - even if your business isn't located in New York. If you do business with residents of the state and have access to or use of their private information, this new cybersecurity law may well impact your business. It's important that you understand the law and how it applies to the way you handle data.
What Is New York's SHIELD Act?
Adam Mahoney, CEO at Network Outsource, a New York City IT services company shares "Stop Hacks and Improve Electronic Data, otherwise known as the SHIELD Act, was signed into law by New York's governor on July 25, 2019, and went into effect on October 23, 2019. The law expands the laws that were already in place to govern business and data breaches. Though this law specifically seeks to protect New York's residents.
Aaron Fox, CEO of Buffalo NY computer services company, Buffalo Computer help says "If your company is located in New York and you have any employees, the SHIELD Act directly impacts the way you do business with regard to your employee's information. For companies located outside of New York, the law still may be important if you deal with any personal data from New York residents.
This act was created to bring the law up to date with current technology and cybersecurity issues. It's geared to protect the personal and private information of citizens, and the law highlights the way that businesses protect their employee's information. Though it's also applicable to customer information if that data falls under the category of personal or private information.
The types of information considered personal or private were expanded significantly under this act. It includes biometric information (such as facial recognition, iris scan, or fingerprints), name, email address, passwords, personal address, credit card information, bank account information, personal identification or driver's license numbers, social security information, and any encrypted information where the encryption key was compromised.
This law also makes the company responsible for protecting its employee's data from hackers and cybersecurity breaches, as well as internal theft.
What Does Your Business Need to Do to Comply?
The SHIELD act specifies that businesses need to maintain reasonable security measures and follow a set notification protocol in the event of a breach. Here are a few steps you'll need to take if you deal with any personal or private data of New York residents:
- Audit Your Breach Notification Protocol and Update to Comply. You'll need to make certain that your breach notification process includes all of the information this act added and that you're within regulations on time frame and the information included in any notifications.
- Update Your Data Security Program. This is a good time to assess your current process and cybersecurity plan and make updates as necessary.
- Update Training for Employees. Many cyber breaches are the result of employee error or malfeasance. Making sure training is effective is one way to limit human errors that can compromise security.
- Implement Reasonable Safeguards. This can include technical and administrative safeguards to make tracking and being alerted to breaches far more effective.
- Update Your Data Disposal Policy. Part of the SHIELD Act stipulates that companies need to properly dispose of sensitive information in a reasonable amount of time after that information is no longer relevant to the business.
In short, the SHIELD Act seeks to protect individual citizens by expanding the legal definitions of personal data and including newer cyber threats in the law. For companies, it means making sure that you maintain compliance in the way that you handle data and report breaches.