Many people aren't aware of how important data security really is. However, cybercrime has become more prevalent than ever. It is particularly important nowadays that personal information is protected.
If you are curious about the New York SHIELD Act, it is actually quite influential. SHIELD is an acronym for "Stop Hacks and Improve Electronic Data Security." It was signed into law on July 15th, 2019 by Governor Andrew Cuomo of New York. As he signed it into law, he stated, "As technology seeps into practically every aspect of our daily lives, it's increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure."
The SHIELD Act is all about making sure that companies do a better job of protecting sensitive information that belongs to residents of the state of New York. In fact, it goes beyond only New York. It requires every business and health care organization that stores or access has information that belongs to New York residents to do everything that they can to protect that information.
The SHIELD Act has redefined a breach to include any type of unauthorized access to digitized data that could potentially compromise the security, integrity, and confidentiality of any information that could be considered private. The definition of this private information has also been broadened, to include the following information: driver's license numbers, Social Security numbers, debit or credit card numbers, biometric information, financial account numbers that may or may not have security codes, and username/email addresses with passwords.
Any health care organization that complies with Health Insurance Portability and Accountability Act (HIPAA) is probably already compliant with the SHIELD Act. However, there are some changes that these organizations need to make note of as well. There is now a distinction between private information and health information, meaning that private data pertains to personal information. It also refers to patient portals and retinal scans. If email addresses or passwords happened to be breached, this breach falls under the purview of the SHIELD Act.
If there is a breach that does not specifically involve electronic health information but private information instead, the healthcare organization needs to report the breach to the Department of State, State Police, State Attorney General, and any individuals that are affected by the breach. If the breach occurs and is going to impact over 5,000 New York residents, the organization needs to report it to the Consumer Protection Bureau. If there is a breach that needs to be reported according to HIPAA, even if there is no private information involved, that organization has to report it to the State Attorney General within a period of five days after having reported it to the Office for Civil Rights.
Overall, any company that may store the information belonging to a New York resident is going to have to make some significant changes in the way that they store and access sensitive information. There are many safeguards that are required before March 21, 2020. Businesses needed to have proper policies and procedures in place, including a disaster recovery plan and data back-up plan. They also needed to implement appropriate access controls, so that employees do not have access to more information than they actually need to do their jobs. Copious vulnerability assessments would need to be performed regularly in order to pinpoint areas of weakness and deal with them. Companies would also need to implement cybersecurity training programs in order to show employees how to deal with the most common security threats.
The SHIELD Act has also significantly increased penalties for failure to comply. It is now $20 per instance of failed notification, with a maximum penalty of $250,000.
LI Tech Advisors is considered to be the top IT services company in Long Island, New York, and nearby areas. They are working to educate other professionals about the SHIELD Act and how it will affect them.