In an effort to help business owners maintain compliance, this is the latest in a series of articles that provide a state-by-state analysis of data security and privacy regulations.
On July 25, 2019, New York’s Governor signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law. The breach notification amendments took effect on October 23, 2019, while the data security requirements took effect on March 21, 2020. If you have not assessed your company’s compliance with this regulation, your company is currently at risk.
Below are commonly asked questions we have received from our clients, including key points about the SHIELD Act that you need to know:
Who must comply? The SHIELD Act expands the territorial application of the breach notification requirement to any person or business that owns or licenses “Private Information” of a New York resident which can include businesses outside of New York State. Previously, the law was limited to those that conduct business in New York.
What is "private information?" The SHIELD Act broadens the definition of "private information" and includes:
What is considered a "breach" of private information? The SHIELD Act expands the definition of a breach of the security of the system to include unauthorized “access” of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business. Previously, a breach was defined only as unauthorized acquisition of computerized data.
The reason this is important is that “access” as opposed to “acquisition” is used. This creates a broader definition of a data breach since malicious actors do not need to exfiltrate data in order it to be classified as a breach. Instead, they only need to gain unauthorized access to the data.
What should I do to comply? The SHIELD Act requires companies to maintain reasonable security by implementing a data security program that includes:
Companies that are in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.
What is the penalty for non-compliance? Failure to implement a data security program that complies with the SHIELD Act would be a violation that is enforceable by the New York State Attorney General. This could result in civil penalties, as determined by the court of justice, of the greater of $5,000 or up to $25 per instance of failed notification, provided the latter amount shall not exceed $250,000.
This list is a summary of important SHIELD Act information that companies should know about, and is not intended to be a comprehensive analysis. Our IT Risk Assurance & Advisory team can provide you with the analysis you need and assist your organization in creating a tailored plan to comply with the SHIELD Act. For additional information please contact a member of your DGC client service team or Donny Butler, CPA, CISA at 781-937/5137 / email@example.com.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.