The NY SHIELD Act is Almost Here: How to Stay Compliant
Data privacy regulations are quickly becoming par for the course in countries around the world, each one bringing new, nuanced responsibilities for companies to follow. While Europe’s expansive General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have made most of the headlines, we are just months away from the latest privacy regulation, New York’s “Stop Hacks and Improve Electronic Data Security (SHIELD) Act.”
Scheduled to take effect on March 21, 2020, the SHIELD Act will transform data privacy standards in New York, the US, and around the world. Keep reading to find out what the latest privacy regulation means for your organization and how you can best prepare for its implementation.
The Problem With Today’s Password Habits
The SHIELD Act was signed into law on July 25, 2019 by New York Governor Andrew Cuomo. The Act gave companies 240 days to comply with new data privacy and data security standards, which makes March 21st a critical milestone for companies. It includes several notable changes to data privacy standards:
New Definitions. The SHIELD Act expands the definition of “private information” to encompass biometric data and usernames/email addresses when paired with passwords or security questions. In addition, financial data, including account or payment card numbers, are classified as private information, even without security codes or passwords.
New Parameters. Not only does the law broaden the information that can comprise a data breach, but it also expands the definition of a “breach.” Notably, under the SHIELD Act, unauthorized data access that compromises personal privacy is considered a breach. Previously, bad actors had to steal customer data before a privacy incident qualified as a breach.
New People. These changes represent a seismic shift for one of the biggest business hubs in the world. However, it will have implications that reach well beyond the Big Apple. While New York’s previous data privacy laws only applied to companies operating in the state, The SHIELD Act applies to every company collecting and storing information of a New York resident.
New Consequences. For companies that fail to comply, the SHIELD Act empowers the New York Attorney General to exact up to $250,000 in fines and penalties, a $100,000 increase from previous legislation. According to PwC, the Attorney General has already assessed more than $600 million in fines leading up to the law’s passing, which means that companies should be prepared to comply or face significant financial penalties.
Taken together, the SHIELD Act continues the trend of governments taking steps to bolster data privacy standards at a time when data breaches continue to be pervasive and incredibly consequential. To be sure, it will force companies to up their game in this regard.
How Should You Respond?
The SHIELD Act is intended to increase companies’ responsibility when collecting and storing peoples’ private information. In that regard, every organization should take specific measures to address data security, including:
- #1 Identify a point person. With new communication and oversight requirements, organizations can’t afford to let lax oversight lead to noncompliance. Place someone in charge of compliance and hold them accountable for adoption.
- #2 Train all employees in data security best practices. Interestingly, as part of the SHIELD Act, the New York government is committing itself to providing data security training to all of its employees, and businesses should do the same. Many data breaches are entirely avoidable, and training can eliminate many of the most obvious avenues to a privacy violation.
- #3 Assess all risks. As we routinely report in our weekly newsletter, third-party partnerships offer as much risk as they do opportunities. In response to this new regulation, companies need to reevaluate their business relationships with cybersecurity in mind, taking intentional steps to deter a data breach.
- #4 Document everything. When it comes to compliance, documentation of best practice initiatives and other security protocols is a veritable must-have.
The SHIELD Act’s implementation is just months away, and compliance should be top-of-mind for every company interacting with New Yorkers’ personal data. However, rather than being overwhelmed by the task, turn to trusted professionals who can help you along the way. At ID Agent, we offer comprehensive employee awareness training that promotes compliance and data security. In addition, our Compliance ManagerTM automates and documents compliance standards, setting up any organization for seamless adoption of the SHIELD Act’s standards.
Don’t wait until it’s too late to prepare. Contact ID Agent to learn more about how we can help you achieve compliance by the March 21st deadline. Recently ID Agent’s CEO Kevin Lancaster and Kaseya’s GM, Compliance Max Pruger took a moment to highlight what you need to know to ensure you and your customers are compliant in 2020. View the webinar by clicking the link below: