How to Comply with the New York SHIELD Security Act

If your company does business in New York, or has New York-based consumers, then you need to understand the SHIELD Act. The New York "Stop Hacks and Improve Electronic Data" Act went into effect in 2020, and requires businesses to implement safeguards against the misuse or theft of private consumer information. The SHIELD Act expanded data and security breach notification requirements, updated the definition of security breaches, and extended protection to a larger set of personal information.

An In-Depth Breakdown of the SHIELD Act, and What It Means for New York Businesses: 

How the SHIELD Act Defines Private Information

Under the SHIELD Act, there are four main categories of private information:

• Financial Accounts - any combination of data elements that would grant direct access to a person’s financial account(s). For example, a name or account number along with a social security number or driver’s license number, plus a password or security code.

• Online Accounts - any combination of data elements that would grant direct access to an online account. For example, an email address or username, plus a password or security code.

• Credit Information - an account number or credit/debit card number combined with individually identifying information sufficient to grant mediated access to an account. For example, a name, address, account number, plus answers to security questions.

• Biometric Data - Biometric data such as fingerprints or retina images combined with personally identifying information sufficient to grant access to an online account.

The SHIELD Act defines a breach as access to private information, not its acquisition. This greatly broadens the range of incidents that may qualify as data breaches. Even encrypted information may trigger a breach-report requirement, if the associated encryption key was also accessed. In the event of a breach, companies must report the incident to state authorities.

How to Comply with the SHIELD Act

The Act claims broad jurisdiction, and requires that all companies operating in New York state have a data security program that at least includes the following:

• Companies can satisfy the requirements of the act by following a cybersecurity framework like NIST or CIS.

• For SMBs, the Act does have provisions for smaller businesses to enact a “reasonable” data security program relative to the size of their business.

• They define such businesses as companies of fewer than 50 employees and those whose gross revenues have not exceeded $3 million in the last three years.

Failure to establish a compliant security program is punishable by civil penalties of up to $5,000 for each violation. More significantly for MSPs and their clients, the Act allows for injunctive relief against companies that fall out of compliance. Avoid the high-cost of noncompliance by taking the following steps: implement reasonable safeguards, designate at least one person to coordinate the security program, and regularly assess risks. For more information about SHIELD Act compliance, or other regulatory frameworks, reach out to iCorps for a free IT consultation.