Updated: Mar 8
On March 21, 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act takes effect. This act requires businesses to implement safeguards for the private information of New York residents and broadens New York's security breach notification requirements.
First proposed shortly after the Equifax data breach in 2017, SHIELD addresses consumers’ growing concern regarding the protection of their personal consumer data. But it isn’t only about protecting consumers’ information. Every business in NY with employees must comply with the SHIELD Act because "private information" includes every employee’s name and Social Security number, even if your employees don’t live in NY, since they work in NY, they’re private information falls under this act.
With all the nuances this new law incurs, let’s take a look at some things that you need to be sure you’re aware of when it comes to your business for March 21.
The law clearly states that a business is deemed in compliance with the requirement to implement reasonable data security measures if it maintains a data security program that incorporates a detailed series of administrative, technical, and physical controls. However, there are two types of businesses that fulfill the “reasonable safeguards” requirement automatically:
Small businesses with fewer than 50 employees or less than $3 million in gross annual revenue
Businesses already in compliance with other regulatory schemes requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule (HIPAA), or the New York State Department of Financial Services' Cybersecurity Requirements (23 NYCRR 500) for Financial Services Companies
Even small businesses who automatically fall under the “reasonable safeguard” requirements, must ensure that their data security safeguards are appropriate for the size and complexity of their business activities and the sensitivity of the personal information they handle. However, many SMBs are ill equipped to make that kind of promise, especially when it could mean hefty fines if they overestimate the strength of their security posture.
If you’re an SMB in NY, we suggest you get a second opinion from a trusted cybersecurity advisor to help you determine—and substantiate—you have administrative, technical, and physical safeguards in place that comply with the requirements of the SHIELD Act.
As you’re looking into how SHIELD affects your business, it’s also a good time to re-evaluate your corporate cybersecurity. Whether your security is managed in-house or with a managed security service provider (MSSP), conducting a risk assessment to ensure your protection is up to par is a good idea.
If you’re working with an MSSP, re-evaluate the IT security provisions of your agreement to understand fully how they handle private information that flows through your organization. If by chance any New York resident’s personal information is leaked via your company, even if you have a third-party vendor managing your security, it’s still your problem and the fines will be yours to pay. This also includes how information is securely destroyed.
And it isn’t only technical threats you need to be concerned with. Negligent and malicious insiders can put you in a precarious position. Make sure employees who handle personal information understand how to safeguard that information. Also review access controls for current, and even past, employees to make sure only those who require access to private data have it.
Breach Definition Expansion
The SHIELD Act also expands the definition of "breach" to include unauthorized access, rather than solely unauthorized acquisition. This is critical if your corporate email accounts are web based. If one of your employees is duped into disclosing their account credentials in response to a phishing e-mail, you can establish that no information was exfiltrated or acquired from the account. However, you can’t prove that the hacker didn’t access private information that may be stored within the account.
Training employees on what to look for and avoid when it comes to email is key to protecting your business, but having an effective threat detection and mitigation solution is your first line of defense. Even better is having a team of security experts to help you strengthen your security posture. With an MSSP on your side, you reap the benefits of a whole team of experts who are well-versed on the latest sophisticated cyberattacks, helping you get ahead of attacks before they happen. Because under the SHIELD Act, if you’re breached it could cost you double—up to $250,000.
BlackHawk Data is Your Shield Against Attacks
BlackHawk Data’s team of cybersecurity experts have experience securing personal and corporate data for a wide variety of industries. We understand the intricacies of layered security protection, effective monitoring and management, and best practices to help your team keep all the information that flows through your business secure.
Our security assessment provides you with a holistic view of your current infrastructure and security posture, detailing “hot spots” and security gaps within your network, so there are no unwarranted surprises or unexpected downtimes. We can then help you build a security solution that can scale with you as your business and budget matures.
Don’t be caught off guard on March 21. Let BlackHawk Data help you improve your data security and shield you from cyberattacks.