The “Stop Hacks and Improve Electronic Data Security Act” (aka NYS SHIELD Act), was signed into law in July 2019, and fully takes effect on March 21, 2020. This law has several parts.
First, it broadens the definition of what data must be protected, to include “private information” in additional to “personal information”. This sounds insignificant, but has big implications which we’ll discuss in a future video.
SHIELD also broadens the definition of the term “Breach” to include unauthorized “access” to the data. Previously, NY laws considered it a breach only if data was copied or exfiltrated. And thirdly, SHIELD mandates that businesses that collect private information on New York State residents, must implement reasonable cybersecurity safeguards to protect that information.
The law describes the framework for these cyber security programs, which include implementing cyber security best practices similar to the ones other regulations require. Note that there is some flexibility in the law for smaller businesses to implement their Cyber Security program in a way that is appropriate to amount and sensitivity of the data that that business handles.
Fines for noncompliance with the law can be as high as $5000 per violation, up to $250,000 total.
While implementing SHIELD may feel like a burden for many businesses, it’s good to remember that this law was created for a reason.
Cyber Security attacks have been increasing drastically year over year. As a result, more data is being stolen today than ever before, and millions individuals are being personally affected as a result.
New York State is the fourth state to adopt these kinds of regulations to help protect its residents from becoming the victims of a cyber security attack. Many other states are currently considering similar legislation.
The only reasonable way to protect the sensitive data that your company collects is to implement cyber security best practices.