Data breaches and security incidents have become almost run of the mill in the past decade. Despite the major financial ramifications for businesses and consumers, there has been very little done at the federal level to provide more safeguards. As a result, many states are taking up the cause, passing their own laws to protect private consumer data.

One of the states leading the charge is New York, which passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July, 2019. The law will take full effect on March 21, 2020.

NY SHIELD Act in brief

The New York SHIELD Act broadens the state’s existing security breach notification laws by doing the following:

Broadening the definition of a security breach – Under the previous law consumers had to be notified if their personal information was accessed deliberately by an unauthorized party. Now, any unauthorized access—intentional or not—will trigger a consumer notification.

Expansion of what is personal information – In addition to Social Security numbers, the SHIELD Act now defines “private information” to include:

• Biometric information
• Driver’s license (and other government ID) numbers
• Credit/debit card numbers
• Financial account numbers
• Username or email address with password

Increased penalties for violations – The maximum penalty recoverable by the attorney general increased from $100,000 to $250,000.

Is my business subject to the NY SHIELD Act?

According to the law, any company that handles the private information of a New York resident is subject to the SHIELD Act. This is a significant expansion of previous law which was limited to entities that conducted business in the state of New York.

Businesses subject to the law will have to develop a data security plan, whose elements include:

• Designating at least one employee to lead a security program
• Training and managing employees on data security procedures
• Conducting regular software and systems threat assessments
• Developing plans for the disposal of private information

How does the New York SHIELD Act affect SMBs?

Small businesses have an exception carved out for them in the SHIELD Act. The law defines an SMB as an entity with less than $3 million in gross annual revenue or has fewer than 50 employees.

SMBs will have to demonstrate “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

What are my next steps?

Regardless if you are an SMB or large enterprise, developing a security plan that’s compliant with NY SHIELD will likely benefit you and your customers. Here’s how you can start:

• Develop a schedule for assessing risks in your hardware, software, and information transfer systems.
• Develop regulations around who in your organization should be able to access private information.
• Form a security program with a leader who can educate other members of your organization.

New York is just one state, and we can expect many more to pass laws about data privacy and protection. Electric helps SMBs navigate the growing number of data security regulations and achieve compliance.

This communication is distributed with the understanding that the author is not rendering legal or other professional advice on specific facts or circumstances and, accordingly, assumes no liability in connection with its use.