What is the New York Data Security Act (aka: SHIELD Bill) and What Will it Mean for My Business?

Data security and online privacy are shaping up to be major regulatory topics this decade and beyond. Major data breaches by organizations like Facebook, Yahoo, and Equifax have contributed to the urgency of data privacy regulations.

Personal data has become the currency of today’s criminals, using cyberattacks like phishing emails, to gain access to networks and databases, then selling that data to the highest bidder. Governments are starting to catch up by crafting legislation to impose data safeguard requirements on firms collecting user data.

One proposed piece of data privacy legislation that our Triada Networks team has been keeping an eye on is the New York Data Security Act. We provide IT security solutions for financial firms in the New York City and New Jersey area, so naturally we’ve been keeping abreast of what this bill, if passed, would mean for our clients.

The New York Data Security Act is referred to as the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD” for short. It was first introduced in 2017 as a program bill and amendment to New York’s existing data security statute.

So, what will SHIELD mean for your business and how you handle your data security? We’ll give you a full primer on what’s coming up once this bill is enacted.

New York’s Proposed SHIELD Act: The Facts

The SHIELD Act addresses two key areas: Cyber security and data breach notification. Important to note is that New York businesses would not be the only ones impacted.

The SHIELD Act applies to any businessthat collects sensitive data from New York residents, even if they reside outside the state.

Areas of compliance with data security standards include administrative, technical, and physical. Here is a breakdown of how that would look for your business, along with what is changing with data breach notification requirements.

Administrative Safeguards

Companies would be required to put good cybersecurity policies into place for safeguarding the personal and sensitive data of New Yorkers. These administrative safeguards include:

  • Assigning staff to coordinate a security program
  • Identifying IT security risks, both internal and external
  • Doing an assessment of cybersecurity safeguards to control risks
  • Providing proper employee training in IT security practices
  • Ensuring your service providers are compliant with IT security protocols
  • As your business changes, making sure your cybersecurity plan is updated

Technical Safeguards

The requirements for software and hardware monitoring and protection fall into the realm of technical safeguard requirements. SHIELD requires companies to:

  • Fully assess risks in software and network design
  • Review information processing, transmission, and storage protocols for weaknesses
  • Having a platform in place to detect, prevent, and respond to IT security incidents or system failure
  • Instituting testing, monitoring systems, and controls and procedures

Physical Safeguards

The third layer of safeguard requirements in SHIELD relate to how you physically protect the sensitive data that you collect. Physical safeguards include:

  • Reviewing risks of where your information is stored and how it’s disposed of
  • Having a system in place to detect, prevent, and respond to physical intrusions
  • Safeguarding against unauthorized access or use of private information
  • Properly disposing of personal information once it is no longer needed

Data Breach Notifications

The data breach provisions within the SHIELD Act are designed to revise the current New York data breach notification law. Key elements of the update relate to how companies are required to notify those whose data has been breached, they include:

  • Providing an alternate means for notifying people whose email account credentials have been compromised
  • Requiring specific information to be included in consumer breach notifications
  • Incuding additional notification obligation for payment card issuers when a card is replaced due to a data breach

SHIELD Act: Exemptions/Penalties/Status

If you’re a small business, just thinking about compliance with a new data security bill can be stressful and make you wonder how much it’s going to cost you. There are a couple of exemptions within the SHIELD Act, and one of them is for small businesses.

SHIELD Exemptions

Small businesses would be considered compliant with the regulation if they implement and maintain “reasonable safeguards” for private information that are “appropriate to the size and complexity of the small business.”

A small business is defined as:

  • Having fewer than 50 employees
  • Having a gross revenue of less than $3 million for the last three fiscal years
  • Having under $5 million in assets

The second exemption has to do with a safe harbor created for organizations compliant with the international Standard for Information Security Management Systems, ISO 27001 (supported by the guidelines in ISO 27002) or NIST 800-53.

Those businesses would avoid prosecution by the Attorney General for non-compliance, unless there was evidence of “willful misconduct, bad faith, or gross negligence.”

Non-Compliance Fines

Failure to comply with the SHIELD Act could mean an action for damages brought by the Attorney General with a maximum of $5,000 per violation.

Penalties would also be increased for companies that fail to provide proper data breach notification to those impacted. Companies that knowingly fail to issue proper notice can be subject to civil penalties of $5,000 or $20 per failed notification, whichever is greater, capped at $250,000.

What’s the Status of the SHIELD Bill?

There is no effective date yet for the Stop Hacks and Improve Electronic Data Security Act. As of the writing of this article, the bill is currently still in the New York State Senate’s Finance Committee and hasn’t yet been brought to the floor for a vote.

We’ll be keeping an eye on its progress and will be sure to let our clients know of any changes in status.

Looking for Help with Data Security Compliance?

Triada Networks has decades of experience in cybersecurity and keeping our clients’ data safe. We specialize in financial firms and can help you navigate any data compliance regulations.

Schedule a consultation today and get your free Small Business IT Security Report Card!