The Consequences of Failing to Comply with the New York SHIELD Act

Did You Know the Breach Notification Amendments Already Came Into Effect on October 23, 2019? And All Businesses Storing or Using Information Belonging to Residents Must Have Reasonable Safeguards in Place By March 21, 2020?

What are the Consequences of Failing to Comply with the New York SHIELD Act?

Governor Andrew Cuomo signed the SHIELD act into law on July 25, 2019. SHIELD stands for Stop Hacks and Improve Electronic Data Security - an act put into effect to amend the current data breach security and/or notification laws in the state of New York. But the SHIELD act impacts businesses anywhere in the world that store and use information belonging to residents. This means that even if you’re not operating in the state, you may be required to make some big changes to the way you store, access, and share sensitive information.

What Significant Changes Are Necessary Under the SHIELD Act?

Significant changes are imposed under the SHIELD act to better protect residents against data breaches that leave their sensitive information at risk. Here’s a quick review of the significant changes that are necessary:

  1. The definition of a breach has been expanded to include any sort of unauthorized access to digitized data that may compromise the confidentiality, integrity, and security of private information.
  2. The territorial scope has been expanded wherein any business that works with or stores private information of residents of the state must follow the updated breach notification requirements.
  3. The definition of private information has been expanded to cover the following data:
    • Social Security numbers
    • Driver’s license numbers
    • Credit or debit card numbers
    • Financial account numbers with or without security codes
    • Biometric information
    • Username/email addresses with passwords
  4. The safeguards required to protect private information have been expanded to include performing employee training, scheduling regular risk assessments, disposing of data in a timely manner, and having a data security program in place.

Let’s Take a Look at the Safeguards Required Before March 21, 2020…

Reasonable security measures and/or safeguards must be adopted before March 21, 2020. For most businesses, it’s critical to have a technology partner available to help you implement the following:

  • Appropriate access controls wherein employees only have access to the information they need to do their job.
  • Proper policies and procedures including a data backup and disaster recovery plan, as well as an incident response plan.
  • Thorough vulnerability assessments performed on a regular basis to identify areas of weakness and address them.
  • Cybersecurity training program that shows employees how to detect and respond to the most common threats.

Essentially, all solutions and/or processes relating to data storage or use must be reviewed to ensure private information is safe at all times. Here are a few recommended steps to help you get started:

  1. Designate an employee or team that will be responsible for the creation and enforcement of a data security program.
  2. Create a policy to ensure private information is destroyed within a reasonable time frame after it’s no longer necessary.
  3. Vet each third-party service provider thoroughly to ensure they’re contractually obligated to protect private information.

What Breach Notification Amendments Came Into Effect on October 23, 2019?

The SHIELD act updates definitions already in place and adds to the existing laws relating to breach notifications. Any information exposed through unintentional or intentional efforts requires the business to notify affected individuals via:

  • Written notice
  • Electronic notice
  • Phone notice
  • Another notification method (such as via the media)

The breach must be announced without reasonable delay, and if the breach impacts more than 500 residents of the state, you must provide written determination within 10 days to the state attorney. If the breach impacts more than 5,000 residents of the state, you must report the timing, content, and distribution of the notices, as well as the number of affected individuals, to whichever consumer reporting agencies deemed pertinent by the state attorney general.

What Are the Consequences of Failure to Comply with the NY SHIELD Act?

Prior to the NY Shield Act, businesses faced a fine of $5,000 or $10 per instance of failed notification - whichever was greater in the situation, so long as the total didn’t exceed $150,000 in the event of paying $10 per instance of failed notification. The NY Shield Act increases the penalties to $20 per incident with a maximum of $250,000. In addition, businesses may be fined up to 3 years after an incident rather than 2 years.

This time will be measured from the date in which the attorney general became aware of the violation or the date they received notice from the business, whichever comes first. The attorney general is also empowered to sue for injunctions and civil penalties when businesses fail to comply in regards to implementing reasonable safeguards.

Need help complying with the SHIELD act? Call (631) 203-6403.

LI Tech Advisors is the top IT services company in Long Island, NY and surrounding areas.

Like this article? Keep reading…

How to Save Your Business from Drowning in Complex Technology

Best Practices for Creating & Protecting Your Passwords

How Can You Use Technology to Automate Your Finances?