As we’ve previously reported, the New York Stop Hacks and Improve Electronic Data Security Act Act (the “SHIELD Act”) goes into effect on March 21, 2020. The SHIELD Act, which amends the State’s current data breach notification law, imposes more expansive data security and data breach notification requirements on companies, in the hope of ensuring better protection for New York residents from data breaches of their private information. In anticipation of the SHIELD Act’s effective date, over the next several months we will highlight various aspects of the new law, and how to prepare. Under the Act, individuals and businesses who collect computerized data including private information about New York residents must implement and maintain reasonable administrative, physical and technical safeguards. The Act provides several safeguards which may be implemented to ensure compliance.

Administrative Safeguards

• Designate individual(s) responsible for security programs;

• Conduct risk assessments;

• Train and manage employees in security program practices and procedures;

• Select capable service providers and require safeguards by contract; and

• Adjust program(s) in light of business changes or new circumstances.

Physical Safeguards:

• Assess risks of information storage and disposal;

• Detect, prevent, and respond to intrusions;

• Protect against unauthorized access/use of private information during or after collection, transportation and destruction/disposal; and

• Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.

 Technical Safeguards:

• Assess risks in network and software design;

• Assess risks in information processing, transmission and storage;

• Detect, prevent, and respond to attacks or system failures; and

• Regularly test and monitor the effectiveness of key controls, systems and procedures.

In addition to the safeguards recommended in the Act, organizations should also consider the following:

• Developing access management plans;

• Maintaining written policies and procedures;

• Applying sanctions to individuals who violate the organization’s data privacy and security policies and procedures;

• Implementing facility security plans;

• Maintaining and practicing disaster recovery and business continuity plans;

• Tracking inventory of equipment and devices;

• Deploying encryption and data loss prevention tools;

• Develop and practice an incident response program;

• Regularly updating antivirus and malware protections;

• Utilizing two factor authentication; and

• Maintaining and implementing a record retention and destruction policy.

With the effective date of the SHIELD Act inching closer, covered businesses should be assessing their data security programs and making adjustments as necessary to ensure compliance with the new law. As a reminder, while there are more flexible standards for small businesses (with fewer than 50 employees and less than $3 million per year in gross revenue), these businesses still must implement a reasonable security program appropriate for the size and complexity of their business. Moreover, other state statutes and regulations must be factored into the security program.

Additional resources on security program implementation are available here:

• Is Your Small Business Prioritizing Cybersecurity?

• The FTC Announces a National Cybersecurity Education Campaign for Small Businesses

• The Dark Web and its Impact on Small Business

• Data Breach Preparedness: A critical risk management priority for small and mid-sized businesses