New York rolled out its Stop Hacks and Improve Electronic Data Security Act requirements over the past year, and the fully implemented measure will significantly impact how companies approach cybersecurity.
Commonly referred to as the SHIELD Act, organizations are now tasked with improving security and privacy surrounding sensitive data they collect, store, and transmit. The NY State SHIELD Act applies heightened regulations on organizations and also those doing business with residents remotely.
Many believe that the harsh penalties for cybersecurity failures could have broad implications similar to the California Consumer Privacy Act, and the European Union’s General Data Protection Regulation. New York has basically put its data breach and notification laws on steroids, and companies that fail to comply face harsh penalties. Entrepreneurs, CEOs, and other decision-makers that handle employee data who have not adhered to SHIELD Act protocols remain at risk. If your organization collects employee information, these are things you need to know and promptly address.
The Act changes the way employers and data collectors previously understood private information. It expands that understanding to now includes data that combines a username and email address with a password. Another expansion includes username and email with security questions and answers. The idea of protected private information can also cast an increasingly wide net to cover standalone credit card numbers without accompanying access information. Given the wide-reaching new definition of private information, employers would be wise to err on the side of caution.
The traditional understanding of a data breach focused on hackers penetrating a business network with criminal intent. New York has taken an expansive understanding of “breach” to now include any unauthorized access to sensitive data. If the security or confidentiality of digital files is compromised in any fashion, businesses could face high fines and severe consequences.
The state law has significant implications for those who conduct business relating to New York residents. If your organization collects data or licenses personal information of people living in the Empire State, SHIELD may be triggered. Having a physical location in New Jersey, Connecticut, or a thousand miles away will not exempt an outfit from SHIELD. The law also applies to primarily virtual operations, including big tech firms. If your organization leverages the data of New Yorkers, expect to be held to the cybersecurity standards.
While business leaders generally implement reasonable measures to protect employee and customer data, many are concerned about penalties. Those who fail to comply have every reason to be worried. The New York Attorney General’s office is already enforcing the regulations. Failure to meet the regulations could result in fines up to $5,000 for each incident.
But what gives the SHIELD Act real punitive teeth comes from the notification fines. For each failure to notify a potentially impacted New Yorker, penalties of $10 to $20 per violation can be leveled. Given that hackers routinely steal thousands of files during a single breach, organizations could suffer a maximum fine of $250,000.
Although monetary penalties can be devastating to an organization’s bottom line, businesses can continue to generate revenue. But when reputations are damaged, it may not be quite as easy to right the ship. SHIELD Act violations put companies and their leaders squarely in the public eye. When the government opens an investigation and brings charges, those items are frighteningly public. Even seemingly minor missteps may be subject to social media hyperbole.
A U.K. study conducted by the Ponemon Institute, called “The Impact of Data Breaches on Reputation & Share Value,” concluded that upwards of 65 percent of clients experienced diminished trust after learning about a breach. Compounding the issue, upwards of 85 percent of those polled relayed the information to people they know. The consequences of a hefty fine pale by comparison to a damaged reputation.
It’s not uncommon for a state to broadly define the security standards organizations are expected to meet. That approach has led to protracted litigation and the courts interpreting what is deemed “reasonable.” The New York statute lays out three basic standards that business leaders and cybersecurity experts can implement without confusion. These include “reasonable” administrative, physical, and technical safeguards that include the following.
Organizations that have not developed a comprehensive strategy or are concerned an existing one might fall short of the stringent SHIELD Act would be well-served to consult with a cybersecurity specialist. Consider a thorough review of current practices and implement the necessary next steps.
If any saving grace exists regarding SHIELD Act compliance, it’s that managed IT cybersecurity firms can assess, consult, and upgrade your data protection. Many of the NY SHIELD Act thresholds are not necessarily complicated, at least for third-party firms. In fact, you could exceed many of the SHIELD Act mandates by having a specialist implement the following measures.
Although New York sets a high bar for sensitive data protection, industry leaders can secure their systems by reaching out to a managed IT cybersecurity firm. Experts in the field typically conduct a holistic review, test for vulnerabilities, and ensure you meet or exceed government regulations. By taking proactive measures to ensure SHIELD Act compliance, you can protect your business, reputation, and rest easy.