September 18, 2021

Volume XI, Number 261

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

New Year, New Shields: How Can You Prepare for the New York Shield Act?

As we’ve previously reported, the New York Stop Hacks and Improve Electronic Data Security Act Act (the “SHIELD Act”) goes into effect on March 21, 2020. The SHIELD Act, which amends the State’s current data breach notification law, imposes more expansive data security and data breach notification requirements on companies, in the hope of ensuring better protection for New York residents from data breaches of their private information. In anticipation of the SHIELD Act’s effective date, over the next several months we will highlight various aspects of the new law, and how to prepare. Under the Act, individuals and businesses who collect computerized data including private information about New York residents must implement and maintain reasonable administrative, physical and technical safeguards. The Act provides several safeguards which may be implemented to ensure compliance.

Administrative Safeguards

  • Designate individual(s) responsible for security programs;

  • Conduct risk assessments;

  • Train and manage employees in security program practices and procedures;

  • Select capable service providers and require safeguards by contract; and

  • Adjust program(s) in light of business changes or new circumstances.

Physical Safeguards:

  • Assess risks of information storage and disposal;

  • Detect, prevent, and respond to intrusions;

  • Protect against unauthorized access/use of private information during or after collection, transportation and destruction/disposal; and

  • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.

 Technical Safeguards:

  • Assess risks in network and software design;

  • Assess risks in information processing, transmission and storage;

  • Detect, prevent, and respond to attacks or system failures; and

  • Regularly test and monitor the effectiveness of key controls, systems and procedures.

In addition to the safeguards recommended in the Act, organizations should also consider the following:

  • Developing access management plans;

  • Maintaining written policies and procedures;

  • Applying sanctions to individuals who violate the organization’s data privacy and security policies and procedures;

  • Implementing facility security plans;

  • Maintaining and practicing disaster recovery and business continuity plans;

  • Tracking inventory of equipment and devices;

  • Deploying encryption and data loss prevention tools;

  • Develop and practice an incident response program;

  • Regularly updating antivirus and malware protections;

  • Utilizing two factor authentication; and

  • Maintaining and implementing a record retention and destruction policy.

With the effective date of the SHIELD Act inching closer, covered businesses should be assessing their data security programs and making adjustments as necessary to ensure compliance with the new law. As a reminder, while there are more flexible standards for small businesses (with fewer than 50 employees and less than $3 million per year in gross revenue), these businesses still must implement a reasonable security program appropriate for the size and complexity of their business. Moreover, other state statutes and regulations must be factored into the security program.

Additional resources on security program implementation are available here:

Jackson Lewis P.C. © 2021National Law Review, Volume IX, Number 357
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Delonie A. Plummer Privacy Attorney Jackson Lewis Law Firm White Plains, New York
Associate

Delonie A. Plummer is an Associate in the White Plains, New York, office of Jackson Lewis P.C. Her practice focuses on representing employers in workplace law matters, including preventive advice and counseling. 

In her Privacy, Data and Cybersecurity practice, Ms. Plummer counsels employers on compliance with federal and state privacy laws, in addition to data breach prevention and response.

While attending law school, Ms. Plummer served as a Senior Associate of the Pace International...

914-872-6923
Advertisement
Advertisement
Advertisement