Effective 3/23/2020, New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) imposes new data security requirements, expands data breach notification requirements, and mandates covered businesses to have reasonable data security safeguards.
The Act applies to any person or business, even those outside of the state, owning or licensing computerized data containing “private information” of a NY resident.
The SHIELD Act requires companies to implement and maintain reasonable data security measures to protect the security, confidentiality, and integrity of private information. The Act also expanded on the definitions of:
“Private Information” to include a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, and
“Breach” to include unauthorized access, rather than solely unauthorized acquisition.
To comply, an entity must either:
Have a compliant data security program under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), New York’s Department of Financial Services (DFS) cyber regulations, or other applicable federal or New York cybersecurity regulations; or
Have a data security program with reasonable administrative, technical and physical safeguards. The statute specifies what measures are required to meet a reasonableness requirement, as well as provides examples.
Keep in mind - small businesses are not exempt from implementing data security safeguards; although, the safeguards need only be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. Small businesses are defined, for this purpose, as any person or business with fewer than 50 employees; less than three million dollars in gross annual revenue in each of the last three fiscal years; or less than five million dollars in year-end total assets.
Take action – partner with your IT team and legal counsel to do the following:
Ensure that designated employees are able to fulfill their responsibilities to implement and maintain the data security program.
Train employees on data security.
Assess information security risks posed by negligent or malicious insiders.
Negotiate information security provisions in agreements with vendors that handle private information.
Ensure that sensitive information is securely destroyed promptly after data retention periods expire (assuming a legal hold has not been implemented).
Failure to comply may result in penalties up to $250,000. Reach out to your Kiwi Advisor if you have any questions regarding the expansion of the SHIELD Act.