There's no denying that, year after year, cybersecurity risks tend to increase in number and complexity. New York joined the growing list of states enacting legislation to try and regulate the use of private, personal data.
The New York Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, is something businesses and individuals need to be aware of.
What is the SHIELD Act?
The New York SHIELD Act requires businesses to implement specific safeguards for New York state's residents regarding their personal information. The act broadens New York's security breach notification requirements to protect residents from data breaches and other forms of cyberattacks. There are no exceptions to the law for small businesses, although there is some relief (described later).
The law officially went into effect on March 21, 2020. Here are some of the significant changes that this law introduces:
- Updating the Definition of Private Information: Includes biometric information, account numbers, banking information, usernames and email addresses, and passwords and security questions/answers.
- Updating the Definition of Data Breach: Now includes unauthorized access of data that compromises the security, integrity or confidentiality of private information.
- Expands the Territorial Scope: The act now applies to any individual or business that owns/licenses specific private information of NY residents. It used to only apply to companies.
- New Security Requirements: Requires that companies adopt reasonable security safeguards to protect the integrity, confidentiality and security of private information.
It shouldn't be a surprise that more states are enforcing regulations to protect individuals' data. Data is becoming increasingly valuable and is the perfect target for would-be hackers.
While the SHIELD Act is not as broad as the California Consumer Privacy Act (CCPA), businesses, regardless of industry, must do their best to protect private information.
Keep in mind that violations of the act are considered deceptive acts, and businesses could be punished as a result. Companies held responsible for violating the act can be fined up to $5,000 per violation.
So, how can you ensure that your business is compliant with this new SHIELD Act? Let's explore some tips you can follow to safeguard your business.
Tips for SHIELD Act Compliance
Below are some tips to follow to ensure your business is compliant with the New York SHIELD Act.
1. Identify and Classify Private Information
Because of the broad definition of private information in this act, it's critical that you first identify what information you use regularly. Then, take precautions to classify that data and prevent future cyberattacks from occurring.
In this case, taking extra preventive measures to safeguard information is worth the time, effort and resources. The last thing you want is to pay fines for violating the SHIELD Act.
2. Restrict Access to Private Information
Because it can be challenging to truly know the intentions of all your employees, you must keep access to your files and data storage limited. Employ access control methods to ensure only authorized employees can access any consumer data that fall under the act.
When an unauthorized source tries to access your files, you must act swiftly and essentially put out the fire before it spreads.
3. Implement a Data Security Program
Here are three critical components that should be included in your program:
- Physical Safeguards
- Technical Safeguards
- Administrative Safeguards
Regardless of the act, every business should implement a quality cybersecurity program to prevent instances of cyberattacks. Small businesses are especially vulnerable to hackers, as they may not have a dedicated IT department to handle these issues.
4. Train Employees on Data Security
One of the best practices to adopt for your business is educating and adequately training all employees about data protection. Being aware of the most common cybersecurity pitfalls can help eliminate the risk of experiencing a data breach.
Consider holding webinars for remote employees and in-person training opportunities for all employees, as this is a surefire way to make sure your employees understand the need to comply with the SHIELD Act.
As data becomes more accessible and valuable, it shouldn't come as a surprise that more states, such as New York, are enforcing regulations for businesses and individuals. Protecting personal data is a top priority in today's digital world.
Ensure Cybersecurity Protection in NY
Follow the tips listed above if you're concerned about the new SHIELD Act. By adopting these best practices, you will protect your business from paying for violations, which will, in turn, protect your reputation and position within your industry.
Small Business Relief
Businesses with fewer than 50 employees, less than $3 million in gross revenue in each of the last 3 years, or less than $5 million in total assets year end, must maintain a security program. However, they can adopt reasonable safeguards based on the size of the business.
Implications for Businesses in Other States
While the SHIELD Act’s reach is limited to New York, businesses in other states should use the tips listed above as best practices. Many others have data protection laws in place. Spirion has a list (you need to provide your information to access it).