Businesses that have employees or customers in the state of New York are now subject to new regulations for data security. That’s right, New York state now has the Stop Hacks And Improve Electronic Data Security (SHIELD) Act, with the goal of securing the personal information of individuals in New York state.
Businesses with employees or customers in New York are required to take steps to provide safeguard the personal information of New York residents and prevent this data from being part of a breach. Given the population and the number of businesses operating in New York or with employees in New York, the SHIELD Act has a pretty large-scale impact.
More than just an operational mandate, the SHIELD Act requires businesses handling the private data of any person, which includes information like names and Social Security numbers, to exercise minimum data security protocols for this information.
What does “handling” mean?
Any person or business that accesses, stores, shares, or basically uses this sensitive information in computerized data format, including:
In the case of the SHIELD Act and compliance, businesses are classified into two categories:
Small businesses have slightly more leverage and flexibility to avoid the most costly of security measures, though small businesses are still required to take reasonable administrative technical and physical safeguards to protect your data in electronic format. What does “reasonable” mean? Reasonable safeguards are those measures considered appropriate for:
One important distinction with the SHIELD Act is that “breach” applies to unauthorized access. The reason this is important is to recognize that the SHIELD Act deems even potential access to sensitive information as worthy of notification to those whose information may be exposed. Redefining “breach” expands the minimum requirements to notify parties but also credit reporting agencies to offer identity theft protection services to those consumers affected.
The risk of exposing sensitive data can be incredibly costly. Not only can violations of the SHIELD Act result in fines of up to $5,000 per violation, but the long-term cost of identity theft and credit card fraud is exponentially more expensive.
The SHIELD Act requires businesses to protect consumer data in electronic format, and businesses can take steps with technology security including:
That last bullet is repeated because it’s just that important! Training staff on security protocols and best practices for data security is the most important step, including how to choose passwords, how to update passwords, and how to recognize phishing attempts to covertly get passwords through emails and websites that look legitimate but are actually attempting to collect passwords.
Data security is the name of the game – in New York and everywhere else! If you’re not certain your business is SHIELD Act compliant, talk to an IT company that understands the New York SHIELD Act to help you determine if your business is compliant.