The SHIELD Act Has A Direct Impact On Your Business In New York
The state of New York boasts one of the largest population centers in the U.S., and as home to more than 19 million people, the likelihood that your business is tied in some way to the state of New York is great. Whether your business has a location in New York, has operations in New York with remote staff, or has customers or clients in New York, the Stop Hacks And Improve Electronic Data Security (SHIELD) Act impacts you.
The SHIELD Act has one focus: to protect New York residents and their personal information in digital format. While this singular focus is clear, the guidelines and requirements spelled out to enforce this purpose are complex.
What Is the SHIELD Act?
If you’re a business with operations in the state of New York or have employees, customers, or clients residing in the state of New York, the SHIELD Act applies to you. The SHIELD Act spells out requirements for cybersecurity steps your business will need to take to proactively protect your employees, customers, or clients’ personal information. The technology security steps are to prevent this data from being exposed, and with the information of millions of people, the risk has the potential of far-reaching consequences.
The SHIELD Act redefines what “exposure” means with digital information. Until the SHIELD Act, data breaches were primarily the unauthorized acquisition of data. In contrast, now the SHIELD Act redefines exposure to include unauthorized access – not just “getting” the data, just the ability to get the data.
The SHIELD Act requires that individuals whose information has been compromised be notified and that credit reporting agencies offer identity theft protection services to these consumers.
How Does the SHIELD Act Protect Information?
For private residents of New York, sensitive data protected by the SHIELD Act includes details like:
- Legal Names
- Social Security and Driver’s license numbers
- Credit and debit card numbers, with or without PIN codes
- Financial account numbers or information
- Account user names or email addresses – with or without passwords
- And more
What Does SHIELD Act Compliance Mean For Your Business?
The SHIELD Act categorizes businesses into two classifications based on specific data:
Small Businesses
- Less than 50 employees
- Less than $3 million annual revenue in each of the past three fiscal years
The SHIELD Act realizes the financial burden technology security can place on a small business if required to exercise the same compliance level as large businesses. To address this, the SHIELD Act acknowledges that small businesses are required to take administrative technical and physical steps to protect electronic data, with protective steps considered appropriate for the following:
- The size and complexity of your business
- The nature and scope of your industry
- The sensitivity of the data you store
Large Businesses
- More than 50 employees
- Greater than $3 million in gross annual revenue
All businesses, small and large, must reflect on your operational technology to address cybersecurity for your data:
- Maintain a secure technology environment, including IT systems and network
- Exercise limits on those who can access your sensitive information
- Training for your staff on security protocols and best practices