The first half of 2020 saw over 500 reported data breaches! This surge in attacks came as a wake-up call for many businesses, especially ones that store Personally Identifiable Information (PII), such employee or customer social security numbers. In an effort to curb these breaches and stringently provide protection to consumers in New York while setting higher standards for companies that serve them, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law in July 2019.
The SHIELD Act, which went into effect in March 2020, is an extension of the New York State Information Security Breach and Notification Act and broadens the scope of the already existing federal and state data protection regulations. It expands the data security and breach notification requirements in three major ways:
The Act outlines administrative, technical, and physical safeguards that each company needs to put in place. The full Act covers a significant number of protocols to be set by companies, highlights of which are as follows:
The SHIELD Act might sound like a Herculean task, but there’s a respite for companies falling under certain criteria. There are exceptions for small businesses with less than 50 people and $3 million in yearly revenue. Also, companies already compliant with GBLA, HIPAA, and 23 NYCRR 500 will be allowed exemptions under this Act. However, these businesses still have to implement reasonable security protocols depending on the size and complexity of their operations.
The New York State Attorney General, who is the enforcer for this Act, can seek up to $250,000 for non-compliance. But there is no capping on the penalties, so the fines can go higher depending on the level of the breach and misinformation. Just recently, the Attorney General penalised ShopRite and its parent company, Wakefern, in the amount $235,000 for improper disposal of electronic devices and putting thousands of consumers’ private data at risk.
While the SHIELD Act’s complexity and detailed rules might seem overwhelming, our compliance team is well-versed in the Act and can guide to get your SHIELD up.