January 14th, 2020
Data breaches and security incidents have become almost run of the mill in the past decade. Despite the major financial ramifications for businesses and consumers, there has been very little done at the federal level to provide more safeguards. As a result, many states are taking up the cause, passing their own laws to protect private consumer data.
One of the states leading the charge is New York, which passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July, 2019. The law will take full effect on March 21, 2020.
The New York SHIELD Act broadens the state’s existing security breach notification laws by doing the following:
Broadening the definition of a security breach - Under the previous law consumers had to be notified if their personal information was accessed deliberately by an unauthorized party. Now, any unauthorized access—intentional or not—will trigger a consumer notification.
Expansion of what is personal information - In addition to Social Security numbers, the SHIELD Act now defines “private information” to include:
Increased penalties for violations - The maximum penalty recoverable by the attorney general increased from $100,000 to $250,000.
According to the law, any company that handles the private information of a New York resident is subject to the SHIELD Act. This is a significant expansion of previous law which was limited to entities that conducted business in the state of New York.
Businesses subject to the law will have to develop a data security plan, whose elements include:
Small businesses have an exception carved out for them in the SHIELD Act. The law defines an SMB as an entity with less than $3 million in gross annual revenue or has fewer than 50 employees.
SMBs will have to demonstrate “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.”
Regardless if you are an SMB or large enterprise, developing a security plan that’s compliant with NY SHIELD will likely benefit you and your customers. Here’s how you can start:
New York is just one state, and we can expect many more to pass laws about data privacy and protection. Electric helps SMBs navigate the growing number of data security regulations and achieve compliance.
This communication is distributed with the understanding that the author is not rendering legal or other professional advice on specific facts or circumstances and, accordingly, assumes no liability in connection with its use.