Why You Need to Understand the SHIELD Act, Even If You're Located Outside New York State
In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, a law that amends existing data breach notification laws and imposes more data security requirements on companies that collect, handle and store information on New York State residents, including small businesses. The data security requirements of the law took effect in March 2020, making it now fully enforceable. The NYS legislature introduced the SHIELD Act in response to a report showing a 60% increase in data breaches in New York State. The intent is to strengthen security practices in response to the ever-rising cyber threats that small businesses face. Failure to tighten security practices can lead to significant consequences, including data loss, falling prey to ransomware, identity theft, and fraud. Just weeks prior to the introduction of the SHIELD Act, Equifax, one of the largest credit reporting agencies in the country, reported a breach that affected over eight million New York residents.
What are the SHIELD Act's Requirements? The SHIELD Act introduces significant changes to existing law:
It broadens the definition of “private information”. The Act expands the definition of this term to include account numbers, biometric information, credit/debit card numbers (even without a security code), access codes, usernames, email addresses, passwords, and security questions and answers.
It expands the definition of a “breach”. Previously, a breach was defined as unauthorized acquisition of computerized data. Now it refers to unauthorized access of a computerized data that compromises the security, confidentiality, or integrity of private information. The law also supplies samples of unauthorized access and updates the procedures companies must follow when a breach occurs.
It expands the territorial scope. The earlier law was limited to parties that conducted business in New York. The SHIELD Act expands the scope to any person or business that owns or licenses private information of a New York resident. That means that even if you do not do business in New York, it is highly probable that the SHIELD Act applies to you if you work anywhere in the United States.
It imposes new data security requirements. The Act forces all companies, including small businesses, to adopt reasonable safeguards to protect the security, confidentiality and integrity of private information. Companies must implement a data security program with specific measures, employee training, vendor contracts, risk assessments, and prompt data disposal. It also requires entities to appoint an employee to oversee cybersecurity operations.
Businesses are considered compliant if they implement reasonable administrative, physical, and technical safeguards.
The bill offers several ways to ensure compliance.
What is the SHIELD Act’s Impact? The SHIELD Act is designed to protect data and notify the public and authorities about breaches. Individual states will continue to write and expand their data security laws, but since the SHIELD Act applies to any business that collects or keeps private information on New York residents, it has the potential to make a significant impact on the entire nation. What Happens If You Do Not Comply? Penalties for noncompliance are not enforced by private entities, but by the state attorney general’s office. In addition to state penalties, the individuals whose data is breached may be entitled to compensation.
Penalties Companies that do not follow the regulations laid out in the SHIELD Act may face civil penalties of up to $5,000 per violation. There are no caps on penalties, fines can add up quickly. There is also a $250,000 fine for not notifying authorities when a data breach occurs, even for a small business.
Reputational Consequences Not only will a company suffer in terms of penalties and financial losses related to a data breach, but a security incident will also cost a company its reputation. A loss of customer trust will likely cost both future customers and the returning business of current customers. One study shows that 65% of customers lost trust in an organization after it suffered a data breach, and 85% told others about their experience—a consequence which could lead to a company’s death by word of mouth. Maintaining multiple security standards is complex, time consuming, and inefficient. For the sake of convenience and cost, many companies will likely apply the SHIELD Act’s standards to all the private information they collect and keep, not just New York residents.
How to Comply All businesses, including small businesses, must have a security plan in place. Though the SHIELD Act does not need specific safeguards, it does outline key elements, including the following:
Appointing one or more employees to coordinate a data security program
Employee cybersecurity training in the security program’s practices and procedures
Assessing internal and external risks and implementing measures to reduce risks
Vetting service providers and binding them contractually to safeguard private information
Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.
The best way to reach SHIELD compliance is by working with a Managed IT Service Provider, especially if the business lacks the IT knowledge to create a data security plan. To ensure compliance with these updated regulations and, as is their goal, remain protected from cyber threats, work carefully with your IT team to update security measures and practices considering the SHIELD Act’s new conditions.