Time is running out to comply with New York State’s “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act. Ensure your organization is in compliance or face potential fines and penalties.

Posted on: 2/5/20 by John J. Unser

In order to meet the March 21, 2020 deadline, companies should take necessary steps to ensure that they are in compliance with the new SHIELD Act.

On October 23, 2019, new cybersecurity laws began to take effect in New York that impacted a majority of New York State businesses. The SHIELD Act – requires companies to adopt a Cybersecurity program to reduce risks of a data breach.

New York is the latest state, joining California, Massachusetts and Colorado,  to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. The implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing is mandated by New York's law. The law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

“The approval of 23NYCRR 500 (DFS) and now the SHIELD Act prove New York State is taking cybersecurity very seriously. For years Marvin and Company has been assisting banks, insurance companies and law firms with DFS compliance. We are excited to assist our small business clients to ensure they understand and meet the new SHIELD regulation.”
– John Unser, CISO, IT Director, Marvin and Company, P.C.

The SHIELD Act requires implementation of an information security program to protect “private information” defined as:

  • any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
  • individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

In order to achieve compliance, an organization must implement a data security program that includes:

Administrative Safeguards
Persons and Businesses possessing Private Information must now implement reasonable administrative safeguards, as listed in the SHIELD Act:

  • Designation of one or more employees to coordinate the Businesses’ security program
  • Identification of internal and external security risks
  • Assessment of the sufficiency of safeguards in place to control identified risks
  • Training and management of employees in the security program practices and procedures

Reasonable Technical Safeguards
Newly imposed technical safeguards specified in the SHIELD Act are:

  • Assessment of risk in network and software design
  • Assessment of information processing, transmission and storage risk
  • Detection, prevention and response to attacks and system failures
  • Regular testing and monitoring the effectiveness of key controls, systems and procedures

Reasonable Physical Safeguards
The following physical safeguards are listed in the SHIELD Act:

  • Assessment of risks of information storage and disposal
  • Detection, prevention and response to physical intrusions
  • Protection against unauthorized access to or use of private information during and after its collection, transportation and destruction or disposal
  • Disposal of Private Information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that information cannot be read or reconstructed
  • Selection of service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
  • Adjustment of the security program to address business changes and new circumstances

Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected.

Important note: Organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.

Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. The attorney general remains authorized to bring an action to enjoin and restrain the continuation of any violation of the breach reporting requirements, but the Act doubles the penalty recoverable by the attorney general from $10 to $20 per instance of failed notification, and increases the maximum penalty recoverable to $250,000 from $150,000. The Act also increases the time within which the attorney general may bring an action from two to three years.

At Marvin and Company P.C. we have a long history of assisting our clients with their IT security needs. Whether your organization needs to meet HIPAA, DFS or SHIELD compliance or simply wants to verify the corporate infrastructure is secure, our team of professionals can help. Some of the IT services we’ve provided to our clients include IT audits, vulnerability assessments, policy creation, information security program creation and penetration testing, among many others.

For a full listing of our services please visit: https://www.marvincpa.com/our-services/a-history-of-shaping-futuresthrough-it-advisory-services/.

Marvin University

The Marvin University professors are here to help your organization. see our list of upcoming educational events and download past sessions.

Community Involvement

We not only provide professional services to the not-for-profit industry, we provide our own time and resources.
Learn more here.


Start shaping your future at Marvin and Company today.