New York Shield Act
Cyber Compliance in New York
New York State is requiring businesses to adopt more stringent data security safeguards for customers’ personal information. What impact will the new SHIELD Act have on local businesses?
Cybersecurity in NY | Interview (Excerpt)
Devi Momot - CEO, Twinstate Technologies: What this law looks to do is to make employers and custodians of personal information more secure and accountable. Most everything is digital now, companies hold information on us -- about our birthdays, our social security numbers, biometric information, answers to security passcode questions, and all those types of information are considered to be private and unique to an individual and therefore the custodian of that information should keep it private and secure.
Jacqueline Kelleher - Attorney, Stafford Owens: This Act applies to all businesses but there are different standards. So, if you are a business with less than 50 employees, or less than $3 million in annual revenue, or less than $5 million in assets then you are considered a small business and have to take reasonable steps to protect your business.
So, my company we have less than 15 employees, so we're going to meet that test but our standard for privacy is going to be much higher than the
local pizza shop. You have to do what's reasonable for the type of business you have and the type of information you have.
But companies that don't meet that test -- they will have to meet a broad range of pretty stringent standards and those companies probably have some steps they need to take to get into compliance.
Watch the full interview with Mountain Lake PBS:
Three Levels of SHIELD Compliance:
- Meet all three levels of safeguards to meet "reasonable" security
- 1. Technical safeguards include getting a risk assessment
- 2. Physical safeguards include network threat monitoring and data protection
- 3. Administrative safeguards include delivering cybersecurity awareness training
- Any business that collects or possess private information about New York residents must comply with SHIELD
- State Attorney general can deliver fines up to $250,000 for SHIELD violations
Why So Much Fuss Over SHIELD?
The last year was a significant year for cybersecurity legislation. It saw over 330 bills and regulations pertaining to cybersecurity introduced in at least 36 states. You may have heard about some of these new rules, such as the California Consumer Privacy Act (CCPA), but the SHIELD act stands out as unique. The SHIELD Act, like CCPA, requires companies to adopt security programs to reduce risks of a data breach. However, SHIELD, unlike CCPA, defines the specific steps a business must take to meet a “reasonable security” standard.
SHIELD is also unique in that it broadens the definition of a “breach” to include not just theft of digital information but also the unauthorized access of such data. E.g., an employee who finds and opens documents on your network without valid authorization. In the event of unauthorized access of data under SHIELD, a consumer notification must be sent, whereas, before SHIELD, a notification would only be triggered if consumer data was acquired by an unauthorized person(s).
How To Be SHIELD Act Compliant
The administrative safeguards prescribed by New York State include naming a CISO, proactive threat monitoring, conducting a risk assessment, delivering security awareness training, and incident response planning. It’s important to have a consultative partner when planning to meet these requirements so that organizations don’t spend more than necessary to achieve compliance.
The tools needed to reach compliance are complex and vary in their feature sets, but working with a trusted partner can help you select tools that maximize the utility of your compliance investment. For instance, Twinstate Technologies can help businesses choose a single threat monitoring solution that satisfies four different safeguards across the technical, physical, and administrative categories.
NY SHIELD Penalities are increased 66%
The state of New York has a history of being tough on data security. Before the SHIELD Act was signed into law, the State Attorney General has issued fines totaling over $600M related to data breaches. Under the new legislation, penalties are increased by 66%. The Attorney General can levy fines up to $250,000 for violations by a business.
Who is Required to Comply With NY SHIELD?
The SHIELD act has no borders. It does not matter if your business headquarters are in Albany, NY or Atlanta, GA – if you collect or possess private information about New York residents, then you must comply with the SHIELD Act.
New York State is imposing compliance obligations on any employer that has an employee in the state of New York. Employers without employees in New York may still be subject to compliance. Certain information collected during online hiring processes may trigger coverage.
Large or small, any business in or doing business with the state of New York is required by the state to comply. Compliance is not optional. However, compliance requirements are different for companies defined as small and companies defined as large. How does the SHIELD Act define a “small” and “large” business?
Small Business Defined Under SHIELD
The state of New York classifies a business as small if it has under 50 employees; or has less than $3M of gross revenue in each of the last three years; or has under $5M in total year-end assets when calculated in accordance with GAAP. New York state considers a business as large if it doesn’t meet any of the criteria of a small business.