Latham: 518.785.0134 | Queensbury: 518.792.6595
New York Governor Cuomo signed the SHIELD Act into law on July 25, 2019. The law amends the existing data breach notification law and adds new cybersecurity requirements.
The SHIELD Act takes effect March 21, 2020.
New York is the latest state, joining California, Massachusetts and Colorado, to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. The implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing is mandated by New York's law. The law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
“The approval of 23NYCRR 500 (DFS) and now the SHIELD Act prove New York State is taking cybersecurity very seriously. For years Marvin and Company has been assisting banks, insurance companies and law firms with DFS compliance. We are excited to assist our small business clients to ensure they understand and meet the new SHIELD regulation.”
– John Unser, CISO, IT Director, Marvin and Company, P.C.
The SHIELD Act requires implementation of an information security program to protect “private information” defined as:
The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
In order to achieve compliance, an organization must implement a data security program that includes:
Persons and Businesses possessing Private Information must now implement reasonable administrative safeguards, as listed in the SHIELD Act:
Reasonable Technical Safeguards
Newly imposed technical safeguards specified in the SHIELD Act are:
Reasonable Physical Safeguards
The following physical safeguards are listed in the SHIELD Act:
Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected.
Important note: Organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.
Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 imposed against an organization and individual employees for “each violation.” Depending on how the Attorney General seeks to apply this provision, this could potentially lead to significant monetary penalties for entities and their employees who fail to take required protective measures, including when those failures lead to a data breach. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. Indeed, absent future clarification, the Attorney General may seek civil penalties to enforce reasonable cybersecurity safeguards even in the absence of a data breach. Of course, any enforcement activity by the Attorney General’s office will also have other damaging consequences, such as reputational harm and raise supply chain issues with the firm’s business partners.
At Marvin and Company P.C. we have a long history of assisting our clients with their IT security needs. Whether your organization needs to meet HIPAA, DFS or SHIELD compliance or simply wants to verify the corporate infrastructure is secure, our team of professionals can help. Some of the IT services we’ve provided to our clients include IT audits, vulnerability assessments, policy creation, information security program creation and penetration testing, among many others.
For a full listing of our services please visit: https://www.marvincpa.com/our-services/a-history-of-shaping-futuresthrough-it-advisory-services/.