The New York SHIELD Act

New York’s SHIELD act to come into force on March 21, 2020. As more and more states take it upon themselves to create laws that protect consumers by issuing more rigid compliance regulations.

The New York SHIELD Act

New York’s SHIELD act to come into force on March 21, 2020. As more and more states take it upon themselves to create laws that protect consumers by issuing more rigid compliance regulations.

ABA Opinion 483

What is the SHIELD Act?

.On July 25th, 2019, Andrew Cuomo, Governor of New York City signed the Stop Hacks and Improve Electronic Data Security Act, aka SHIELD. The main goal of SHIELD is to protect customers while ensuring stricter compliance regulations for companies that collect data and information from its citizens.

The act requires every company (in New York and other states) with access to personal information of consumers, with virtually even one customer in New York to adopt a Cybersecurity protocol/ program. This Act will impact unregulated industries such as Real Estate, Retail and a few service industries that were, until now considered as unregulated and did not require to comply with the Cybersecurity requirement.

What do you need to know?

The Act covers a wider spectrum of businesses in New York

This act applies to any business that collects data from New York citizens and not just companies that conduct business in New York.

Security breach notification changes

Before the SHEILD act, only those customers whose data was actively breached would get a notification. With the application of the SHEILD Act, the definition of security breach includes even those customers whose data was simply accessed by an unauthorized party. This means more incidents and breaches will be brought to light.

SHEILD covers a larger set of personal information

The Act covers:

  • Biometric information- facial recognition, email question answers and their security questions.
  • Social security numbers
  • Driver’s license/non-driver ID card
  • Account numbers (debit and credit card), etc.

This allows to cover more security breaches and a higher number of factors are considered.

Businesses must start to comply within 240 days from when the Act was signed (March 21, 2020)

 Who should pay attention?

 Lawyers should not breach confidentiality of information. They must take steps to ensure client information is protected against unauthorized access.

What steps should you implement?

Identify vulnerabilities and implement safeguard measures

Identify network weak points and foreseeable risks to data, and implement security measures to protect sensitive data. Consult a cybersecurity expert like CompCiti that can provide appropriate security measures and avoid unauthorized access.

Hire a CISO

Consider hiring a full-time/part-time/virtual Chief Information Security Officer (CISO) or a designated person who conducts risk analysis and is responsible for reporting breaches to the New Yoke State Attorney General’s Office and other oversight agencies.

Conduct a regular risk assessment

Regularly check for risks and vulnerability in your network and third-party systems.

Workshops and regularly educating employees

New and current employees should be given regular Cybersecurity workshops either during their onboarding or periodically.

Adopt a company-wide Cybersecurity Program

The company should adopt a Cybersecurity program that is compliant with the SHIELD Act. If your company already has a program, it should be reviewed and updated to stay compliant to the SHEILD Act.

What is the penalty if you do not comply with the SHIELD Act?

By August 2019, the New York State Attorney General’s office has levied more than $600 million in fines related to security breaches based on then-existing statues. With the SHIELD Act, the Office can seek up to $250,000 in violations by a company.

How CompCiti Can Help?

In the past few years, CompCiti has helped many small and mid-size firms from in and around New York to update and manage their Cybersecurity program. CompCiti helps businesses reduce cybersecurity risks and comply with government regulations.Along with the administrative, technical and proactive measures, CompCiti provides a set of steps to ensure proper compliance and risk management. With simple yet crucial steps such as data mapping, penetration test, risk assessment and etc. CompCiti helps businesses with virtual CISO service as well where they can hire a CISO on a part-time basis to develop and enforce a cybersecurity program.

Contact CompCiti

Find Out How CompCiti Can Increase Your Cybersecurity and Keep Your Company Safe

Code item sample content