Everything You Need To Know About The NY SHIELD Act

SHIELD Act compliance can be a complicated undertaking. Do you know everything you need to know to ensure you’re compliant?

Are you confident that you’re compliant with the NY SHIELD Act?

Ultimately, it comes down to how much you know about it. If you’re not fully aware of how this compliance system works, what’s expected of you, and how non-compliance is dealt with, then you’re at risk of major fines —up to $250,000.

That’s why you need to make sure you understand the SHIELD Act and what it means for your business.

What Is The New York SHIELD Act?

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to make sure that organizations do their due diligence to protect the private data they access that belongs to residents of New York state. This means implementing a range of cybersecurity safeguards, and, in the event of a failure, facing severe non-compliance fines.

What Does This Mean For Your Business?

Some small businesses or non-HIPAA subject medical practices may think that they don’t have to comply with SHIELD — that’s not necessarily true. Small businesses, under SHIELD, are defined as an organization with:

  • fewer than fifty employees,
  • less than $3 million in gross annual revenue in each of the last three fiscal years, or,
  • less than $5 million in year-end total assets

Similarly, healthcare organizations not subject to HIPAA, but still subject to SHIELD, include:

  • Dental practices that do not accept direct insurance reimbursement
  • Retailers of health-related merchandise like vitamins or medical supplies
  • Medical marijuana dispensaries

What Private Information Does The SHIELD Act Protect?

There is a range of private data covered by the SHIELD Act, similar to those covered by older laws, which include:

  • Social security numbers
  • Credit or debit card numbers
  • Driver’s license numbers

These prior three types of data were already protected by previous legislation. It’s important to note that the SHIELD Acts adds new protection for the following types of data:

  • Biometric information
  • Username/email addresses with passwords
  • Financial account numbers with or without security codes

How Does The SHIELD Act Expand On Existing New York State Laws?

There are a number of ways in which the SHIELD Act expands protection, requirements, and penalties involved in consumer data management in the state of New York:

  • Access vs. Acquisition: Access to protected data (viewing, copying, downloading) now constitutes a breach, as opposed to just the acquisition of protected data.
  • Your Duty To Protect: Businesses must implement “reasonable safeguards”:
    • Designating one or more employees to implement the security program
      Training and managing employees in security program practices
      Regular testing and monitoring of the effectiveness of key company controls and systems
      Disposing of private information within a reasonable time after the information is no longer needed.
  • Exemptions: There are potential exemptions for breach notification if it is determined that the breach can cause no damage (financial or otherwise) to the affected persons.
  • HIPAA Overlap: Although HIPAA already requires breach notification to the OCR, SHIELD will also require notification to the state AG as well.

What Are Reasonable Administrative, Technical, And Physical Safeguards Suggested By The SHIELD Act?

The SHIELD Act defines private information, breach of the security of the system, and breach notification requirements. Although the SHIELD Act does not specify what is considered to be reasonable administrative, technical, and physical safeguards, it does provide examples and suggestions of the kinds of safeguards businesses should be adopting.

Examples of reasonable safeguards include:

  • Administrative: Designating one or more individuals to be responsible for security programs.
  • Technical: Assessing risks in network and software design.
  • Physical: Detecting, preventing, and responding to intrusions.

For the most part, SHIELD compliance is a matter of cybersecurity management, both through solutions and best practices. Maintaining SHIELD compliance means implementing a number of cybersecurity best practices:

  • A detailed documented and managed cybersecurity program.
  • Training and testing programs to keep your staff up to date on cybersecurity awareness and how to respond in the event of a breach.
  • Comprehensive assessment of your IT to identify and address vulnerabilities.
  • Assessment of potential service providers and other third parties to make sure they’re bound to a contract to safeguard data.
  • A policy for destroying data in the event that it’s no longer needed for your firm’s operations.

How Does The SHIELD Act Handle Breach Response?

In the event of a breach you must follow SHIELD’s reporting requirements as per the type of data exposed:

  • If no ePHI is affected by the breach, you must report the event to:
    • The State Attorney General
    • The Department of State
    • State Police
    • Any affected individuals
  • If the breach affects more than 5,000 New York state residents, you must report the event to the Consumer Protection Bureau
  • If the breach affects ePHI and triggers HIPAA-based reporting requirements, you must also report the event to the State Attorney General within five days of reporting to the Office for Civil Rights.

What Happens If You’re Not Compliant With SHIELD?

Before the implementation of the NY SHIELD Act, you could have been subject to a $5,000 ($10 per instance) fine for failing to notify. It would end up being whichever figure was higher, up to a total of $150,000.

With the SHIELD Act in effect, these fines are increased to $20 per incident with a maximum of $250,000. That’s not to mention that you could face a fine up to three years after an incident rather than two years.

Who Should You Contact To Be SHIELD Compliant?

Need a hand assessing your SHIELD compliance?

You can partner with PNJ Technology Partners to have your compliance practices double-checked and your cybersecurity supported by the right technology. Get in touch with our team to discover how we manage our clients’ SHIELD compliance.