New York’s SHIELD Act is now in full effect. While this act amending the state’s cybersecurity requirements was signed in July 2019, some of its measures began in October 2019, while the rest went into effect in March 2020.
It’s important to be aware of the changes it enacted to avoid the penalties of not complying with New York’s SHIELD Act
What’s Different After the SHIELD Act?
The SHIELD Act—which stands for “Stop Hacks and Improve Electronic Data Security”—increased the list of protected information to include biometrics, login information such as a username or email address that can provide access to online accounts, debit and credit card information, and financial account numbers.
It also expanded the definition of a data breach that must be disclosed to include any unauthorized access to computer data instead of just unauthorized acquisition. Overall, the act increases employers’ responsibility over their cybersecurity and tightens security regulations.
New York’s past laws regarding data security only applied to companies that were conducting business within the state. However, with the new act in place, these regulations now apply to any employer in possession of a New York resident’s private information, meaning this law can potentially apply to companies nationwide.
Security Posture Review for NY SHIELD Act
What Happens If You Don’t Comply?
Penalties for noncompliance aren’t enforced by private entities, but by the state attorney general’s office. In addition to state penalties, the individuals whose data has been breached may be entitled to compensation.
Penalties
Companies that fail to comply with the regulations laid out in the SHIELD Act may face civil penalties of up to $5,000 per violation. The SHIELD Act increases the penalties that can be recovered for noncompliance from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.
Security Incidents
This act was created to strengthen security practices in response to the ever-rising cyber threats that businesses face. Failure to tighten security practices can lead to data breaches or loss and falling prey to ransomware, spear-phishing, and fraud.
One significant example of such an unfortunate case is 2015 data breach of the major healthcare provider Anthem. By installing malware on Anthem’s devices, hackers successfully attained data like names, health ID numbers, dates of birth, Social Security numbers, address, phone numbers, email addresses, employment information, and income data from roughly 78.8 million people.
In a cyber breach, hackers may also be able to transfer substantial amounts of money from the compromised company to scammers. For example, Ubiquiti Networks became the victim of a CEO fraud in 2015. The SEC filing states the scam resulted in wire transfers of $46.7 million held by a company subsidiary to overseas accounts held by third parties.
Proper security measures may have stopped these attacks. Hackers often use simple attacks like phishing emails to gain access to systems through employee error.
By providing thorough, consistent employee training, having security risks assessed, and following the other SHIELD guidelines and common-sense proactive security measures, companies can significantly reduce their risk of suffering a devastating data breach.
Reputational Consequences
Not only could your company suffer in terms of penalties and financial losses directly related to a data breach, but a security incident will also cost you reputationally.
A loss of customer trust will likely cost you both future customers and the returning business of current customers. One study shows that 65% of customers lost trust in an organization after it suffered a data breach, and 85% told others about their experience—a consequence which could lead to your company’s death by word of mouth.
How to Comply
All businesses are required to have a security plan in place. Though the SHIELD Act does not require specific safeguards, it does outline key elements, including the following:
- Designating one or more employees to coordinate a data security program
- Employee cybersecurity training in the security program’s practices and procedures
- Assessing internal and external risks and implementing measures to reduce risks
- Vetting service providers and binding them contractually to safeguard private information
- Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.
The best way to reach SHIELD compliance is by working with a Managed Security Services Provider, especially if you lack the IT knowledge to create a data security plan yourself.
To ensure you’re in compliance with these updated regulations and, as is their goal, completely protected from cyber threats to your business, you should work carefully with your security team to update your security measures and practices in light of the SHIELD Act’s new stipulations.
