It’s Time to Take the New York State SHIELD Act Seriously!
Last week we outlined the New York State SHIELD Act, which went into effect on March 21, 2020, and remains one of the most aggressive state data breach notification laws in the United States. This law applies to a New York person or business (even those operating outside of New York state) that collects and maintains New York residents’ “private information”. Although the SHIELD Act applies to “a New York person or business that owns or licenses computerized data, which includes private information, of a resident of New York”, small businesses are particularly vulnerable due to the constant collection and transmission of private information. Regardless of size, every small business must support a security program, and adopt “reasonable” administrative, technical and physical safeguards for the sensitive personal information they collect. This includes clients who send a small business information via email in an unsecured fashion. Small businesses collect and store more sensitive personal information than they may realize. A data breach that causes exposure of customer / client information could lead to damage claims, compliance costs, loss of business, and damage to the company’s reputation that may take years to rebuild. Any small business that has a cyber incident involving the private information of a New York State resident must notify the New York attorney general within ten days of that realization.
Penalties are $20 per failed notification with a maximum penalty of $100,000 to $250,000. For "reasonable safeguard” requirement violations, penalties are up to $5,000 per violation.
Ignoring the requirements due to a lack of time, a reluctance to spend money or a fear of change is not an excuse the New York Attorney General will accept. In fact, a decision to stall, delay or do nothing is a decision to accept the abundant cyber risks associated with the small businesses as well as the harmful and costly penalties that follow. The upfront investment to protect the company is inconsequential compared to the extreme recovery costs and pain after the fact. Your company could be held accountable for damages as well as litigation costs, and future insurance premiums are likely to increase if the company is found at fault or irresponsible in their duty to take the necessary safety measures.
PROACTIVE CONTROLS Roark Tech Services recommends proactive administrative, physical and technology controls developed from industry best practices and frameworks to help ensure compliance with the New York SHEILD Act as well as other state, federal and international requirements around data privacy.
Conduct a Security Risk Assessment: Assessments supply complete insight into the overall security posture of the company and offer the opportunity to develop a practical roadmap (prioritized, budgeted) that better safeguards a company’s stability and protects the confidentiality and integrity of sensitive information. Conduct a Penetration Test: These tests expose weaknesses within a company’s infrastructure that allow bad actors the ability to gain access and check the network, getting and compromising sensitive data. The results of these tests become part of the roadmap to remediate and mitigate vulnerabilities.
Make our “Security Checklist” a Priority: These are baseline controls we designed to protect all types of small businesses:
Prioritizing these controls in the security roadmap are cost-effective in terms of time, money and effort than responding to a cyber security incident. Roark Tech Services helps small businesses of all sizes in nearly every business segment. Our security programs supply guidance and ensure our clients’ security strategies are aligned to the sensitivity of their data, compliance requirements, budget and business goals.
We can help find risks, manage cybersecurity incidents and collaborate with you to formulate a prioritized roadmap that supports your security strategy and proactively mitigates data breaches and cyber-attacks. We offer a FREE cyber assessment to allow every small business the opportunity to know what their risks are. If you have any questions or would like to discuss the recommended SHIELD Act compliance strategies, please contact us.