Businesses To Comply With Cybersecurity Implementations as SHIELD Act Takes Effect March 21, 2020
Time is ticking for new and improved cybersecurity safeguards for businesses as the SHIELD Act’s data security deadlines take effect on March 21, 2020. New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), N.Y. Gen Bus. Law§ 899-bb now requires the implementation of reasonable defenses for any business that collects the private information of New York residents.
This act will broaden and redefine private information, breach notification, and inform organization’s including out-of-state, and small- to mid-sized business owners of their new responsibilities. This legislation comes as a result of various states enforcing more confidentiality and data security laws to protect consumer privacy as exposure to risks become more apparent.
Read on more insight into the improvements the SHIELD Act makes and how businesses can enhance their organization’s data security programs to achieve compliance and avoid violations.
Redefining “Private Information” Under The SHIELD Act
Depending on the state, individual or organization, the definition of “private information” can be pretty vast. However, thanks to the SHIELD Act, New York now defines “private information” as:
- Name, phone number, social security number, identification card or account numbers (driver or non-driver)
- Credit or debit card number in combination with any security code, access code, passwords or any information that would permit access to an individual’s financial account;
- Username or email address in combination with a password or security question and answer that would permit access to an online account;
- Or biometric information – including fingerprint, voice print or a retina image.
Broadening The Classification of a Data System Breach
The SHIELD Act also amended portions of the breach notification requirement. Previously, a breach was defined as an “unauthorized acquisition of computerized data.” Now, as a result of legislative changes, a breach includes:
- Adding biometric information and email address with a password to the definition of personal information
- Notifying that information was viewed, communicated with, used or altered by a person without a valid authorization or by an unauthorized person.
- Notification to the New York Attorney General within ten (10) days of discovery of a breach if the breach affects over 500 New York residents;
- And increased penalties for violations.
Listen to episode 169, “ Episode 169 – The Cybersecurity Battle Plan For Businesses,” featuring Paul Hugenberg, III, on Rea’s award-winning podcast, unsuitable on Rea Radio.
How Does The SHIELD Act Impact Out-Of-State & Small–To–Mid-Sized Business Owners?
The SHIELD Act holds any company that does business within the state accountable to these new legislative guidelines. In other words, it may be time to assess your organization’s current practices and develop a data security program. Also, you might consider implementing periodic risk assessments. Furthermore, assigning a professional to be responsible for your organization’s security program and taking steps to develop a program designed to protect the confidentiality, integrity, and security of your company’s data is imperative.
It’s important to note, however, that this act does include exceptions for small business owners of fewer than 50 employees, and less than $3 million in gross revenues each of the last three fiscal years, or less than $5 million in year-end total assets. These exemptions allow organizations to scale their data security program according to the magnitude and complexity of their business activities and the level of sensitivity of the information collected.
This exemption is valuable as it allows small business owners to have more flexibility when it comes to meeting the terms of the new standards.
Other notable exceptions include:
- Entities that are covered by and in compliance with the Gramm-Leach-Bliley Act (GLBA);
- Health Insurance Portability and Accountability Act (HIPAA),
- And/or the New York State Department of Financial Services cybersecurity regulations are organizations considered to be in compliance with the SHIELD Act.
So let’s take everything into account. If you’re conducting business within the state of New York, ensure you are abiding by the new standards of The SHIELD Act, no later than the date it takes effect – March 21. Failure to do so puts your business at risk for various violations. Lastly, reach out to a trusted cybersecurity and data protection advisor to perform risk assessments and implement cybersecurity safeguards. And, of course, you can always email the data security specialists at Rea & Associates for assistance.
By Travis Strong, CISA (Wooster, OH)