The growth of cybercrime shows no signs of slowing. And with New York among its top victimized states (ranking second behind California), the governor has stepped in with new regulations to enhance digital security.
On July 16, 2019, Governor Andrew Cuomo signed theStop Hacks and Improve Electronic Data Security (SHIELD) Act. This legislation is designed to protect the private information of New York residents and broaden the existing state requirements for security breach notifications.
Employers must now develop, implement, and maintain substantial security measures to protect the confidentiality of their workers’ and customers’ private data.
What constitutes private information?
New York laws previously defined “private information” as a social security number, credit or debit card number, driver’s license number, or a financial account number and accompanying security code. The SHIELD Act broadens the definition to include:
- Biometric information;
- Email addresses (along with corresponding passwords, security questions, and answers); and
- Financial account numbers even without an accompanying security code.
The addition of biometric data and email credentials is a significant change for employers. Keys to the office have been replaced with fingerprint locks and 99.99% of businesses keep a catalog of their employees’ email addresses.
And the SHIELD Act changes a lot more than what qualifies as private information.
What are the changes to New York’s breach notification requirements?
Rather than simply identifying unauthorized acquisition of protected data, a “breach” now includes any unauthorized access.
This adds a massive burden to employers since it’s so much harder to determine when data was viewed compared to when it was stolen.
Consider the example of a Human Resources employee whose email login credentials are stolen. By logging in to the account, a cybercriminal could access thousands of email exchanges containing private information. After resetting the account’s password, how would you determine which conversations were viewed while the cybercriminal was logged in?
There are also new rules for inadvertent disclosures of private data. Take, for example, the case of an HR employee accidentally sending confidential information to the wrong employee. The company must now document proof that the act will likely not result in misuse and maintain that documentation for five years. If the incident involves over 500 New York residents, the employer must submit the documentation to the state attorney general within 10 days of the determination.
How can IT support help avoid breaches?
IT technicians play key roles with these new laws. The SHIELD Act requires that businesses implement a “data security program” that addresses all elements under the act.
Such a program includes:
- Training and managing workers in proper IT security practices;
- Education on internal and cybersecurity external risks;
- Implementing controls to mitigate those risks;
- Ensuring service providers are contractually bound to safeguard private information; and
- Securely destroying private data when it no longer serves their business purposes.
In addition to implementing a data security program, a small business (with less than 50 employees and under $3 million in gross annual revenue) can be deemed compliant if its security safeguards are adequate for its size, the nature and scope of its activities, and the sensitivity of the personal information at hand.
Businesses that are already in compliance with other information security schemes — such as the Health Insurance Portability and Accountability Act Security Rule or the Gramm-Lech-Bliley Act — are also deemed compliant with the SHIELD Act.
Secure your data with help from experts
The SHIELD Act highlights the need for a robust security program designed, implemented, and maintained by IT professionals. Partnering with managed IT services providers (MSPs) like Capstone IT allows you to access the latest tools and solutions in cybersecurity, so you can comply with the SHIELD Act and ensure the safety of your sensitive information.