What is the New York SHIELD Act?

In July 2019, the New York State Senate passed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act to increase cybersecurity protections. The law applies to any person or business operating in New York in connection with owning or licensing electronic personal private data. Companies are required to have safeguards in place to protect the private information of New York residents. Any business with New York presence is required to comply regardless if the business has physical operations within the state or not. What does this mean for you? If your company is conducting business that handles private information within New York, or maintains private information of New York residents, the SHIELD Act will be applicable to you!

This law will have a greater impact on some industries, such as real estate, retail, technology, and other service industries. For example, a mid-size real estate management company based in New York that maintains tenant information of New York residents is now required to implement a cybersecurity program to protect the personal data of those tenants. Similarly, a New York real estate developer that has employee information would also likely be included under the requirements of the SHIELD Act.

What Exactly is Private Information?

Private information can be any of the following: social security number, driver’s license number, credit or debit card number, financial account number, biometric information or a username/email with a password that grants access to an online account. Essentially, any type of information that can aid in identification of an individual or business.

If New York SHIELD is Applicable to My Company, What Do I Need to Know?

  • Compliance with the SHIELD Act is required by March 21, 2020.
  • It is going to take time, effort and money to implement the required administrative, technical and physical security safeguards.
  • Ensure your breach notification policy includes notice to New York residents and make any necessary updates.
  • Penalties are subject to a tier structure, however, if a business chooses to completely ignore the SHIELD Act’s requirements, fines could be up to $250,000.
For more information on this topic, please
contact a member of the
Cyber and Information Security ServicesGroup.

What are considered required “reasonable safeguards” according to the New York Senate?

  • Administrative Safeguards
    • Designate one or more employees to coordinate the security program.
    • Identify reasonably foreseeable internal and external risks.
    • Assess the sufficiency of safeguards in place to control the identified risks.
    • Train and manage employees in the security program practices and procedures.
    • Select service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract.
    • Adjust the security program in light of business changes or new circumstances.
  • Technical Safeguards
    • Assess risks in network and software design.
    • Assess risks in information processing, transmission and storage.
    • Detect, prevent and respond to attacks or system failures.
    • Regularly test and monitor the effectiveness of key controls, systems and procedures.
  • Physical Safeguards
    • Assess risks of information storage and disposal.
    • Detect, prevent and respond to intrusions.
    • Protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information.
    • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

How Can Withum Help You and Your Business?

Withum’s Cyber and Information Security Services are designed to support anyone (e.g. individuals, family run offices, commercial companies operating within regulated and non-regulated industries). Withum has the expertise and the latest technology in risk identification, determining protection levels of critical assets (such as a New Yorkers’ “private information”), ability to independently validate an organization’s privacy and security controls effectiveness, provide real-time active and passive intrusion detection (e.g. with internal employees and/or external hackers). We can help you assess if your current policies and security program comply with the Shield Act and assist you in implementing additional safeguards to comply with the new rules including the implementation of active data privacy, regulatory, and security monitoring tools that will not only help ensure real-time and/or passive compliance; but can also can provide daily, weekly and/or monthly metrics for the C-Suite / Senior Executive Leadership to independently validate your organizations effectiveness to comply with the NY SHIELD Act, as well as other business requirements.

Author: Caroline Laton | [email protected] and Victoria Iezzi | [email protected] from Withum’s Technology and Emerging Services Group


Cyber and Information Security Services

Previous Post

Next Post