Latham: 518.785.0134 | Queensbury: 518.792.6595
In order to meet the March 21, 2020 deadline, companies should take necessary steps to ensure that they are in compliance with the new SHIELD Act.
On October 23, 2019, new cybersecurity laws began to take effect in New York that impacted a majority of New York State businesses. The SHIELD Act – requires companies to adopt a Cybersecurity program to reduce risks of a data breach.
New York is the latest state, joining California, Massachusetts and Colorado, to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. The implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing is mandated by New York's law. The law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
“The approval of 23NYCRR 500 (DFS) and now the SHIELD Act prove New York State is taking cybersecurity very seriously. For years Marvin and Company has been assisting banks, insurance companies and law firms with DFS compliance. We are excited to assist our small business clients to ensure they understand and meet the new SHIELD regulation.”
– John Unser, CISO, IT Director, Marvin and Company, P.C.
The SHIELD Act requires implementation of an information security program to protect “private information” defined as:
The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
In order to achieve compliance, an organization must implement a data security program that includes:
Persons and Businesses possessing Private Information must now implement reasonable administrative safeguards, as listed in the SHIELD Act:
Reasonable Technical Safeguards
Newly imposed technical safeguards specified in the SHIELD Act are:
Reasonable Physical Safeguards
The following physical safeguards are listed in the SHIELD Act:
Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected.
Important note: Organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.
Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. The attorney general remains authorized to bring an action to enjoin and restrain the continuation of any violation of the breach reporting requirements, but the Act doubles the penalty recoverable by the attorney general from $10 to $20 per instance of failed notification, and increases the maximum penalty recoverable to $250,000 from $150,000. The Act also increases the time within which the attorney general may bring an action from two to three years.
At Marvin and Company P.C. we have a long history of assisting our clients with their IT security needs. Whether your organization needs to meet HIPAA, DFS or SHIELD compliance or simply wants to verify the corporate infrastructure is secure, our team of professionals can help. Some of the IT services we’ve provided to our clients include IT audits, vulnerability assessments, policy creation, information security program creation and penetration testing, among many others.
For a full listing of our services please visit: https://www.marvincpa.com/our-services/a-history-of-shaping-futuresthrough-it-advisory-services/.