New York State has recently joined the growing list of states requiring security obligations to their businesses. On July 26, 2020 New York’s governor, Andrew Cuomo, signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act. The Shield Act requires businesses to implement safeguards for the private information of New York residents and broadening New York’s security breach notification requirements.
Businesses, large or small, that are in compliance with other legislation requiring information security, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, are antecedently deemed compliant with the new SHIELD Act.
So what does this mean for employers?
Every employer with employees in NYS must comply with the SHIELD Act. This means, employers in possession of NYS residents’ private information must “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
What the state qualifies as “Private information” includes a Social Security number, a driver’s license number, credit or debit card number, financial account number (with or without security code, as long as an unauthorized person could gain access to the account), biometric information, and username or e-mail address with a password that permits access to an online account.
The SHIELD Act does not mandate specific safeguards but it provides several examples of practices that are considered reasonable administrative, technical and physical safeguards. A business will be deemed to be in compliance with this standard if it implements a data security program that includes all of the elements enumerated in the SHIELD Act. Below are the suggested safeguards for one’s business:
- Designate individual(s) responsible for security programs;
- Conduct a risk assessment process one that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
- Train and manage employees in security program practices and procedures;
- Select capable service providers and require safeguards by contract; and
- Adjust program(s) in light of business changes or new circumstances.
- Assess risks of information storage and disposal;
- Detect, prevent, and respond to intrusions;
- Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.
- Assess risks in network and software design;
- Assess risks in information processing, transmission, and storage;
- Detect, prevent, and respond to attacks or system failures; and
- Regularly test and monitor the effectiveness of key controls, systems, and procedures.
In addition to the safeguards in the new law, organizations should consider others, such as:
- Developing access management plans;
- Maintaining written policies and procedures;
- Applying sanctions to individuals who violate the organization’s data privacy and security policies and procedures;
- Implementing facility security plans;
- Maintaining and practicing disaster recovery and business continuity plans;
- Tracking inventory of equipment and devices;
- Deploying encryption and data loss prevention tools;
- Develop and practice an incident response program;
- Regularly updating antivirus and malware protections;
- Utilizing two-factor authentication; and
- Maintaining and implementing a record retention and destruction policy.
Two types of businesses can satisfy the “reasonable safeguards” requirement other than by implementing a data security program as defined by the SHIELD Act. Small businesses, those with fewer than 50 employees or less than $3 million in annual revenue, need to only ensure that their data security safeguards are appropriate for the size, complexity and sensitivity of the personal information the small business handles.
The SHIELD Act went into effect March 22, 2020, therefore it’s crucial to evaluate your current system. Being experts in cyber security, Acme Business can assess your system and make sure everything is in compliance with the new legislation.
Recent Comments