NY State SHIELD Act Guide For South Carolina Organizations
In March 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act became official. The SHIELD Act requires businesses or individuals licensing or owning digital data comprised of private New York State resident information to implement rational safeguards to protect this data’s confidentiality, security, and integrity.
How Are Private and Personal Information Defined?
Private information equates to an email address or username combined with a security question or password and answer that allows users to access an online account. Personal information is any information related to a natural person which, due to the number, personal mark, name, or another identifying trait, can be used to identify said natural individual.
This data consists of information combined with personal information that is not encrypted or is encrypted with a specific key that is accessed using a driver’s license number, Social Security number, non-driver identification card, credit or debit card number, or account number. Neither private nor personal information includes publicly available data that is lawfully available for public viewing from local, state, or federal records.
How to be Compliant
All covered businesses must meet the following physical, administrative, and technical safeguards to be compliant with the SHIELD Act:
To successfully enforce a human touch, all businesses must designate at least one employee to lead the security program, identify external and internal security risks, assess the safeguards’ sufficiency to control the risks, and train and manage employees on the security procedures and protocols. Part of the administrative safeguard is choosing service providers to maintain the specified safeguards through contracts and adjust the security program when new changes occur.
Reasonable physical safeguards require the assessment of information storage and deletion risks, protection from unauthorized access to private information, detecting and preventing intrusions, and private information disposal within a reasonable period after it is not needed. This includes erasing all electronic media so the information cannot be reconstructed and read by any system.
Technical safeguards comprise assessing software and network risks, including information processing, storage, transmission risks, and the detection, prevention, and response to system failures or attacks. This is accomplished through regular monitoring and testing to determine the effectiveness of key systems, controls, and procedures.
For small businesses, the security program must be compliant if it contains a reasonable amount of administrative, physical, and technical safeguards commensurate with the complexity and size of the small business. Typically, a small business is defined as a company with under 50 employees, less than five million dollars in year-end assets, and less than three million dollars in revenue over the past three fiscal years.
A covered business will be considered compliant with the SHIELD Act if it is compliant with regulations related to the following:
- Title V of the Federal Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act of 1996
- Health Information Technology for Economic and Clinical Health Act
Violations to the SHIELD Act are viewed as deceptive practices or acts that could be enforced by the New York Attorney General. The resulting fine is a civil penalty up to $5,000 per violation and could be harmful to a business’s reputation within the industry.
For more information on understanding the intricacies of the SHIELD Act, contact our team today.