Due to the increasing concern about the security of personal information, many states feel the need to implement data and cybersecurity laws to protect private information utilized by these malicious hackers. On July 26th, the governor of New York signed the SHIELD Act to protect the state’s resident’s data and broaden New York’s security breach notification requirements. The SHIELD ACT or Stop Hacks and Improve Electronic Data Security Act requires in the state of New York that any person, business owner’s computerized data which includes the private information of a resident of New York (“Covered Business”) to not only implement but maintain reasonable safeguards to protect the confidentiality, security, and integrity of the private information but to have proper breach notification requirements.
Every NY business owner must comply with the SHIELD Act because “private information” includes a lot of sensitive data. It is imperative to understand what the definition of private information means as it includes, but is not limited to a username or email address in combination with a password, a name, phone number, driver’s license number, CC number, etc. This does NOT include publicly available information that is lawfully available. This act also expands the definition of Breach, as Breach now includes unauthorized access, rather than solely unauthorized acquisition.
To be compliant with the SHIELD Act’s data security requirements, a business must implement a data/cybersecurity program that has reasonable administration safeguards, reasonable technical safeguards, and reasonable physical safeguards. These reasonable safeguards must be appropriate and align with the size/complexity of a business. This act highlights the importance of HR professionals and in-house employment involvement in their organization’s information security. This act adds an important aspect that requires there to be breach notification requirements.
For example, if an HR Professional accidentally emails private information to the wrong employee containing “private information” the employer must document this as inadvertent disclosure which won’t result in misuse and maintain this documentation for 5 years. If the information contained more than 500 New York residents the employer would have to submit documentation to the attorney general within 10 days. If you fail to comply and notify the attorney general, there are $20 fines per notification with a maximum penalty of $250,000 (Effective Oct. 23,2019.)
This is extremely important for employers to understand in order to comply with the law. The responsibility employers, HR professionals, and employees have regarding properly handling data can impact a business tremendously. The fines associated with mishandling data can lead to millions of $$$ in losses. Make sure you understand the laws, make sure you protect your data, and make sure if your company experiences a data breach you have proper risk management strategies in place to pay for the losses.
Download our SHIELD Act Guide Here
For More Information on the Shield Act and how your organization can be compliant, contact a Risk Advisor or call 914-357-8444