What NY Businesses Need to Know About the SHIELD Act

On July 26, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (or SHIELD) Act into law. With the passing of this law, businesses with operations in New York now must put certain safeguards in place to help protect the private information disclosed to them by New York residents.

Let’s explore this act a little more deeply to understand what businesses are now required to do.

What the SHIELD Act Actually Does

The SHIELD Act is essentially an addendum to New York’s existing General Business Law, revising one section and adding another, while also adjusting the New York State Technology Law. Officially going into effect on March 21, 2020, businesses will want to be sure that they are aware of these changes and prepared to adjust to them.

Naturally, businesses that are owned and operated in New York are beholden to the SHIELD Act. However, even businesses that are not within the state’s boundaries may also be required to meet its requirements, as long as they have customers or employees who are located in New York. So, if a customer from Otego orders something from a company headquartered in Nevada, that company is still mandated to uphold the standards of SHIELD in regard to the data it has collected throughout the transaction.

While SHIELD doesn’t specifically outline any specific benchmarks that a business is required to meet, there are still definitions set by the law in terms of what is considered “private information” collected about New York residents.

In addition to a name or social security number, personally identifiable information includes:

• A driver’s license number
• A credit/debit card number and associated security code
• A username or email address associated with an account

If a business possesses this kind of information on a New York resident, they need to develop safeguards that ensure the security and integrity of this private data from its creation up to its disposal. This requires a data security program that covers the necessary administrative protections, the necessary technical protections, and the necessary practical protections.

There are, of course, exceptions. For instance, businesses that employ fewer than 50 people, have made less than $3 million in gross revenue in each of the past three years, or have less than $5 million in year-end assets can simply scale their program to fit their size, or are compliant to other standards that are seen as copacetic to the SHIELD Act (like HIPAA or the GLBA) are exempt. Failure to comply with the security portion is subject to civil penalties of up to $5000 per violation.

As far as breach notification amendments are concerned, they will not come into effect until March but include things like increased scope of the definition of personal information, a notification to the Attorney General within 10 days if more than 500 New York residents are impacted, and an increase in penalties.

What This Means for NYS Businesses

In short, it means that any business in New York will have to be sure that they are compliant to SHIELD, or at the very least has the appropriate protections for their size… and with March 21st drawing near, time is running out.

Reach out to Directive so we can help make sure that your data security is at the level it needs to be. Learn more by calling our team at 607.433.2200.