The New York SHIELD Act
The New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act, which comes into effect on March 21, 2020, has a far-reaching impact as it applies to ALL businesses storing or access information belonging to residents of the state. You will be required to develop, implement, and maintain reasonable safeguards that protect the integrity, security, and confidentiality of this information. If you own, store or access information belonging to residents of the state and you meet the following criteria, this is vital for you to understand:
- 50+ employees
- $3,000,000+ in annual gross revenue averaged over the past 3 years OR
- $5,000,000+ in year-end total assets
Even if you fall below these thresholds, you must still adopt the reasonable safeguards necessary based on your size and the sensitivity of the data you’re storing and accessing. Here are the safeguards:
1. Administrative Safeguards
- One or more employees should be designated to manage a data security program that identifies foreseeable internal and external risks.
- Safeguards should be assessed to control the risks identified above and training should be provided to all employees.
- Third-party vendors should be vetted to ensure they have adequate data security programs, as well as they’re required to by contract.
- Any new changes or circumstances that arise should be considered and worked into the data security program.
2. Technical Safeguards
- The network design and all configured software should be assessed for potential security risks.
- Information processing, storage, and transmission technologies and protocols should be assessed for potential security risks.
- Adequate detection, prevention, and response technologies and protocols should be implemented for attacks or system failures.
- All security and/or controls related to data privacy should be regularly tested and monitored to ensure effectiveness.
3. Physical Safeguards
- Data storage and disposal processes and procedures should be assessed to identify any security risks.
- Adequate detection, prevention, and response technologies and protocols should be implemented for intrusions.
- All processes relating to the collection, transmission, and disposal of sensitive information should be reviewed to protect against unauthorized access.
- All sensitive information should be disposed of in a reasonable amount of time after it’s no longer necessary for business purposes.
Need help complying with the SHIELD act? Call (631) 203-6403. Ll Tech Advisors is the top IT services company in Long Island, NY and surrounding areas.
Like this article? Keep reading…