In July 2019, Governor Cuomo signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act which requires businesses to implement safeguards for “private information” of New York State residents. Private information outlined in the Act includes email addresses and their passwords, biometric information resulting from facial recognition software or other means, Social Security numbers, driver license numbers, and debit and credit card numbers to name a few. The Act is an enhancement of municipal business law 208-a and general business law 899-aa. Compliance for the updated Breach Notification portion (899-aa) was required by October 2019 and the balance (899-bb) is required by March 21, 2020. The law affects almost EVERY business in New York with New York resident data (and others outside New York with New York resident data). The law relates to computerized data only.
For small businesses (those with fewer than 50 employees or less than $3 million in gross annual revenue), the Act allows for “reasonable safeguards”. The Act does not define “reasonable safeguards” but states that you need only ensure that data security safeguards are appropriate for the size and complexity of the small business. Such safeguards should include documented and tested administrative, technical, and physical safeguards in a written data security program. No matter your size, the program should contain specific measures, including, at a minimum, annual risk assessments, employee training, vendor contract audits, and timely disposal of private information.
The SHIELD Act also does not mandate specific safeguards for large businesses but provides examples of what businesses can do to be deemed in compliance with the Act such as implementing a “data security program”. Additionally, if your business is already in compliance with laws such as the Gramm-Leach-Bliley Act, HIPAA, or the NYS Department of Financial Services Cybersecurity requirements, you are also deemed compliance with the SHIELD Act covering client data. However, if you have covered data that is not covered by the standards above, you may not be in full compliance.
In addition to safeguards, businesses must designate a person to coordinate the data security program. This individual or group of individuals must conduct risk assessments and oversee the implementation of safeguards to protect against risks. Risks must be regularly (annual is suggested) assessed by the organization. The law adds multiple requirements for mandatory, documented, internal and third-party risk management policies and procedures, advanced testing, training, a named security official, and cyber protection of the personally identifiable information already covered in other New York laws. This is for all New York resident data (including employees!), not just those doing business in New York.
The rule adds updated notifications, adds a breach definition very similar to other federal laws that state unauthorized access (e.g. Ransomware – we’d suspect it’s not a big leap that Ransomware will be seen as a data breach per the “unapproved access” standards in this law too) and states a reportable HIPAA (and other federal and state regulatory agencies who require reporting) breach MUST be communicated to the Attorney General as well. The Attorney General can seek up to $250,000 for violations of the SHIELD Act.
It is critical that each employer doing business in New York review the requirements of the SHIELD Act and determine the steps that need to be taken in order to become compliant by March 21, 2020. Should you have questions, reach out to our information risk management experts at Bonadio or at FoxPointe Solutions, a division of The Bonadio Group, our designated cybersecurity division.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.