SHIELD Act compliance can be a complicated undertaking. Do you know everything you need to know to ensure you’re compliant?
Are you confident that you’re compliant with the NY SHIELD Act?
Ultimately, it comes down to how much you know about it. If you’re not fully aware of how this compliance system works, what’s expected of you, and how non-compliance is dealt with, then you’re at risk of major fines —up to $250,000.
That’s why you need to make sure you understand the SHIELD Act and what it means for your business.
New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to make sure that organizations do their due diligence to protect the private data they access that belongs to residents of New York state. This means implementing a range of cybersecurity safeguards, and, in the event of a failure, facing severe non-compliance fines.
Some small businesses or non-HIPAA subject medical practices may think that they don’t have to comply with SHIELD — that’s not necessarily true. Small businesses, under SHIELD, are defined as an organization with:
Similarly, healthcare organizations not subject to HIPAA, but still subject to SHIELD, include:
There is a range of private data covered by the SHIELD Act, similar to those covered by older laws, which include:
These prior three types of data were already protected by previous legislation. It’s important to note that the SHIELD Acts adds new protection for the following types of data:
There are a number of ways in which the SHIELD Act expands protection, requirements, and penalties involved in consumer data management in the state of New York:
The SHIELD Act defines private information, breach of the security of the system, and breach notification requirements. Although the SHIELD Act does not specify what is considered to be reasonable administrative, technical, and physical safeguards, it does provide examples and suggestions of the kinds of safeguards businesses should be adopting.
Examples of reasonable safeguards include:
For the most part, SHIELD compliance is a matter of cybersecurity management, both through solutions and best practices. Maintaining SHIELD compliance means implementing a number of cybersecurity best practices:
In the event of a breach you must follow SHIELD’s reporting requirements as per the type of data exposed:
Before the implementation of the NY SHIELD Act, you could have been subject to a $5,000 ($10 per instance) fine for failing to notify. It would end up being whichever figure was higher, up to a total of $150,000.
With the SHIELD Act in effect, these fines are increased to $20 per incident with a maximum of $250,000. That’s not to mention that you could face a fine up to three years after an incident rather than two years.
Need a hand assessing your SHIELD compliance?
You can partner with PNJ Technology Partners to have your compliance practices double-checked and your cybersecurity supported by the right technology. Get in touch with our team to discover how we manage our clients’ SHIELD compliance.