In October 2019, the State of New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which mandates that any business that possesses certain private information regarding New York State residents provide data breach notifications. Businesses must meet these requirements regardless of if they do business in New York. A second part of the Act will go into effect on March 21, 2020, which requires businesses to implement data security programs to safeguard private information.
Scope of the Act
The new Act expands New York State’s existing breach notification laws to compel any business that has access to private information on New York State residents to notify them if the data becomes available to an unauthorized third party. In fact, businesses will be required to report even suspected breaches to the residents. Thus, businesses must now report unauthorized access to private information, not just acquisition of that information.
Businesses won’t necessarily have to report every breach, however. If they determine that some instance of unauthorized access is unlikely to lead to the misuse of the data, breach notification will not be required. However, businesses will have to keep a record of their decision for 5 years. In addition, the Act may be subordinated to other data breach requirements already on the books, such as HIPAA provisions.
Consequences for Violating
The penalties for violating the Act consist of hefty fines. Violating the data breach notification provision carries a $250,000 fine; violating the data security programs provision will lead to an uncapped fine. To maintain compliance with the Act, businesses must determine if they have the following information on New York State residents:
Changes to Business Structure
Businesses that are affected by the new law will have to redesign their operations relatively swiftly to keep pace. The data security programs required by the Act’s second provision will be especially challenging to implement. They will have to alter their administrative procedures by appointing an employee or employees to orchestrate the new security program, reassessing their existing safeguards and designing new ones if need be, and informing and training their workforce of the changes.
They will also have to alter the technical and physical aspects of their data storage systems. Affected firms will have to reassess the risks in their software, networking, and information processing components and implement solutions to these risks. Regular testing will have to be conducted and they must reexamine the potential of third parties to gain unwarranted access to their hardware and physical storage facilities, and design programs to mitigate these risks. Information that is no longer needed will have to be erased in due order.
Data Security Grows with the Times
While smaller-sized businesses will be held to a more lenient standard, the new law is part of a growing trend to strengthen data security laws at the state level. These laws have been passed following several years of news reports about high-profile breaches in major tech firms and government agencies, and signal a heightened public sensibility to data security issues as the commercial internet nears its 4th decade of existence.
Secure Data can help organizations adapt to the new regulatory environment. Our state-of-the-art SecureDrives eliminate data leaks and unauthorized parties cannot gain access to the data due to the secure authentication methods through PIN entry or biometric identifiers. Our data recovery services maintain a series of privacy certifications such as HIPAA certification, FIPS 140-2 Level 3 Validated Data Handling Practice, and more. Call us at 1-800-388-1266 to learn more about how our data security products and services can help your business become compliant.