New York State’s SHIELD ACT: Steps for Understanding and Compliance!

Cyber-attacks aimed toward business entities have gained massive traction in recent years, and with this, a higher data breach price tag has accompanied them. Data security regulation is a priority now more than ever. The 2019 Official Annual Cybercrime Report (ACR) predicts that businesses will fall for ransomware attacks every 14 seconds. Not to mention the evolution of all data attacks each year, which will cost an estimated $6 trillion in damages by 2021. Regulation of data protection and privacy is now a necessity to stay in business. New York State is making sure of that, with the signing of the Stop Hacks and Improve Electronic Data Security, also known as the SHIELD Act!

What is the SHIELD Act and when does it become law?

The SHIELD Act phase one went into effect on 10/23/2019 this section includes the mandated reporting of data breaches. However, the 03/21/2020 deadline is much more involved and includes a mandated plan in place for reasonable safeguards including administrative, technical and physical aspects.

The SHIELD Act expands current legislation to include broader definitions of both personal information and what constitutes a data breach. It also changes who must be in compliance, and the fines due for those who are not compliant.

The SHIELD Act changes:

• New Definition of Personal Information
• Data Breach Definition: Acquisition and Access
• Includes every company doing business within NYS and those who operate outside of NYS but have personal information of NYS residents
• Requirement of reasonable safeguards:
  • Administrative
  • Physical
  • Technical
• Small Business Definition and “easier” compliance standards:

What Happens if I’m not in Compliance by the March Deadline?

The NYS Attorney General, from here on out will handle matters of non-compliance.

You’ll be subject to a penalty which has just increased from $150,000 to $250,000 maximum!

So, How Can I Ensure I Am Compliant?

To be compliant with the SHIELD Act, you must first understand it!

Here are general guidelines to focus on:

1. The Act significantly expands the types of “private” information that must be protected and the breaches that must be reported.
2. Knowing what “private” information you have on any/all New York State residents. Including where it resides, and how it is protected now.
3. Ability to clearly assess internal and external risks and put controls into place to reduce those risks.
4. Understanding and having in place policies and procedures to properly destroy “private” information within a “reasonable” period of time after it’s no longer required for business purposes.
5. Setting up proper administrative, physical, and technical safeguards.
6. The maximum penalty has increased from $150,000 to $250,000.

How LACyber Will Help You Become Compliant!

At LACyber, we’re here to help make this process as streamlined as possible.  

In order to ensure your organization will not face fines regarding non-compliance, schedule a free 10-15 minute phone consultation with us today! We will go over requirements for your specific      organization/industry and suggest steps you can take towards compliance before the deadline.  

CONTACT INFORMATION: 716-871-7040                                 SROZUMALSKI@LA-CYBER.COM