It’s easy to forget the sheer number of threats businesses need to worry about – namely cybersecurity threats. And along with those threats, there are a myriad of rules and regulations that many organizations fall under. On March 22nd, 2020, the remaining provisions of the New York SHIELD Act went into effect (the sections associated with data breach notifications went live in October of 2019). This law dictates the responsibilities organizations have for protecting the personal information data of residents of the State of New York.
You may be thinking “our business isn’t based in New York State, so we’re good, right?” You would be wrong. As with GDPR and state data privacy regulations (such as California and Massachusetts), it doesn’t matter where your business is physically located. If you have personal information (PI) data for any residents of New York State, you’re required to comply with the NY SHIELD Act.
The SHIELD Act Security Provisions
The SHIELD Act isn’t a new law in New York. Rather, it is an amendment to existing data breach notification regulations passed in 2005. The bulk of the newly amended law is focused on what constitutes PI, defining what an actual “breach” is, and what a business’ requirements to disclose are in the event of a breach.
The major addition to this law is section 899-bb. It defines “data security protections” that must be undertaken by organizations that have PI data for any New York residents. At a high level, these requirements include:
- Designating someone in the organization to be responsible for Security
- Identifying risks (internal and external) and determining if those risks are currently controlled
- Training employees on security programs and procedures
- Being able to detect, prevent and respond to attacks
- Regularly testing the effectiveness of security controls, systems and procedures
The SHIELD Act does make provisions in the regulations for small businesses to tailor their security approach, since one size does not fit all. Also, this does not mean small businesses are exempt from having proper security systems/policies/procedures in place. It just doesn’t require them to be exactly the same as those for larger organizations. Small businesses will still need to show that they have taken reasonable measures to protect any PI through the appropriate physical, technical and administrative measures.
How to Prepare Your Organization
Furthermore, the SHIELD Act covers a lot of important facets around cybersecurity. Here are some steps you can take to get started.
- Determine if the SHIELD Act applies to your organization: Chances are, you have a client, employee or partner residing in New York. It’s safer to assume that you’ll need to comply with the SHIELD Act than to assume you’re not affected.
- Perform a Risk Assessment: At ADNET, we begin with the risk discussion any time we’re speaking with organizations about cybersecurity. To know what you must do, you first need to know what your risks are. That’s why the first recommendation from our team is almost always to conduct a risk assessment.
- Plan to address any risks discovered: Once you know your risks, work with a strategic IT partner to help address them. ADNET recommends tackling the critical or “high” risk items first and working toward the lower priority items.
- Remember, security and compliance are not “set it and forget it”: Risk assessments should be done annually to account for changes in technology, staffing and business structure. Security threats are always evolving. As a result, it’s imperative that you continue to assess your risk levels on a consistent basis.
Kudos to New York State for taking these critical steps to ensure the privacy and protection of its residents! Please reach out if you have questions about how the amendments to the New York SHIELD Act impact your business. We’re here to help.