By Mary Grlic
In a world where technology is rapidly evolving, and data is everywhere, it is more important than ever to protect the private information of the people. Countries like Brazil (LGPD), Great Britain (GDPR), and Canada (PIPEDA) are implementing stricter cyber security guidelines. Areas in the United States, like New York State, are also starting to adopt similar compliance policies. On July 26, 2019, Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Security” (SHIELD) Act to strengthen NYS security laws. The act officially went into effect on March 21, 2020. The SHIELD Act covers “[a]ny person or business which owns or licenses computerized data which includes private information.” Meant to protect people and their private information, the SHIELD Act implements new proactive measures to stay up to date with recent technological advancements. The SHIELD Act amended the 2005 Information Security Breach and Notification Act with more updated policies that apply to a more data driven world.
What is Private Information?
The Information Security Breach and Notification Act, passed on December 7, 2005, enforced that New York state residents must be informed when a security breach exposed their private information. The SHIELD Act amends the compliance status of this law by extending the types of “private information” that NY residents must be aware in case of a data breach. It also requires that companies implement more extensive safeguards to secure and protect private information. The SHIELD Act defines “personal information” as information concerning a name, number, mark, or other identifier that can identify someone’s natural identity. “Private information” can include a social security number, driver’s license, account number, and more recently, biometric data and financial account numbers.
What is a Security Breach?
Under New York’s 2005 act, a security breach is “an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of private information.” The SHIELD Act expands the definition of a security breach to any “unauthorized access” of electronic data. This slight change in wording ensures the safety of private information in case of a hack or data breach. For example, if someone hacks a corporate email, the employer can identify whether or not data was “acquired” from the account. They cannot easily see if the hacker had “accessed” any personal information stored within the account. In response, there is more training for a compliant security program to protect employees from phishing traps.
Security breaches can be detrimental for people and their organizations. Since people likely keep a lot of private information in their devices, a privacy breach is especially harmful now more than ever. It is important for organization and people to understand the effects of a security breach as well as ways to prevent them. With the fixed definition of what a data breach means in 2022, businesses have to be even more secure and careful to prevent unauthorized access. When in compliance with the SHIELD Act, businesses can be protected and better understand the importance of privacy protection.
SHIELD Act Compliance
The law requires that companies in New York have a security protection program when they have any computerized personal data. Applicable organizations must have administrative, technical, and physical safeguards to ensure the protection of information and compliance with the SHIELD Act.
Administrative safeguards have to do with the way that organizations shield their data and their employees. An administrative safeguarding program would include, as directly stated by the SHIELD Act:
- Designates one or more employees to coordinate the security program
- Identifies reasonably foreseeable internal and external risks
- Assesses the sufficiency of safeguards in place to control the identified risks
- Trains and manages employees in the security program practices and procedures
- Selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contracts
- Adjusts the security program in light of business changes or new circumstances
Technical safeguards include the following, as directly state by the SHIELD Act:
- Assesses risks in software and design
- Assesses risks in information processing, transmission and storage
- Detects, prevents and responds to attacks or system failures
- Regularly tests and monitors the effectiveness of key controls, systems and procedures
Reasonable physical safeguard pertains to the physical storage of data, such as in hard drive disks. The physical safeguards include, as directly stated by the SHIELD Act:
- Assesses risks of information storage and disposal
- Detects, prevents and responds to intrusions
- Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information
- Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
Protection under the SHIELD Act
The SHIELD Act also implements new laws in the event there is an inadvertent disclosure of private information. If a professional accidentally shares the wrong employee’s social security information via email, the business must document in writing that data disclosure is not going to result in misuse and keep that documentation for five years. For any unlawful access, an organization must issue a data misuse notification via email, writing, or telephone with a log of all notifications. Businesses must include their contact information, relevant phone numbers and websites, and a description of the event.
Who Must Comply?
The state modifies the compliance exceptions for small businesses that meet one of the following criteria: fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets. Small businesses can adjust the SHIELD Act’s requirements to fit the size of their company. Federal organizations, such as medical firms or healthcare professionals who follow HIPAA regulations, also have compliance exceptions. These companies do not need to issue another notification to consumers beyond what is already required by the organization. They must notify state and consumer reporting agencies depending on the organization and their protection rights.
Failing to utilize a compliant safety program can also cause a penalty of up to $5,000 per violation. If companies do not abide by the security laws in the SHIELD Act, they can be fined up to $250,000. There are additional fines outlined within the SHIELD Act.
Protecting your Organization
The SHIELD Act intends to protect the privacy and security of businesses and their employees. Compliance with the SHIELD Act requires effective response within an IT department or through their managed IT service provider. IT services can help your organization abide by the safeguards within the SHIELD Act, so it important to contact one to make sure your company is protected. It is also important to have good management to ensure data security. Companies should take measures to abide by the aforementioned safeguards and laws in the SHIELD Act. Such measures may include:
- Training employees about data security, such as how to avoid phishing
- Installing firewalls and internet security measures to prevent the compromise of data
- Wipe and destroy hard drive disk data after retention period ends
- Implementing two-step verification when signing into corporate accounts
- Proactively responding to potential issues before it is too late
- Intently monitoring security measures
- Protecting personal data through backups
Additional Resources Regarding the SHIELD Act
Official SHIELD Act – NY Senate Bill
New York State Information Security Breach And Notification Act (2005)
Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) | New York State Attorney General (2019)