New York SHIELD Act Requires Safeguards to Protect Private Information
The Stop Hacks and Improve Electronic Data Security Act – also known as the NYS SHIELD Act took effect on March 21, 2020, and most New York State employers must comply.*
What is the New York SHIELD Act?
The New York SHIELD Act is an amendment to New York’s data breach notification law. First signed into law on July 25, 2019, it covers breaches of certain personally-identifiable computerized data or Private Information data. It also imposes data security requirements on businesses that own or lease Private Information of New York residents, regardless if they do business in New York State. There are potential civil penalties for not complying with the law.
What is required under The New York SHIELD Act?
The data security requirements of The New York SHIELD Act requires businesses that own or license private information of New York residents to implement certain protections, such as:
Reasonable administrative safeguards include the following:
- Designating one or more employees to coordinate the security program identifying reasonably foreseeable internal and external risks.
- Assessing the sufficiency of safeguards in place to control the identified risks.
- Training and managing employees in the security program practices and procedures.
- Selecting service providers capable of maintaining appropriate safeguards, requiring those safeguards by contract.
- Adjusting the security program in light of business changes or new circumstances.
Reasonable technical safeguards include the following:
- Assessing risks in network and software design.
- Assessing risks in information processing, transmission, and storage.
- Detecting, preventing, and responding to attacks or system failures.
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures.
Reasonable physical safeguards include the following:
- Assessing the risks of information storage and disposal.
- Detecting, preventing, and responding to intrusions.
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information.
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Does the NYS SHIELD Act apply to your business?
Yes, you need to be in compliance with the New York SHIELD Act law right now If your business possesses computerized data and the private information of New Yorkers.