Have you heard about New York State’s Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act? Starting March 21, 2020, you should be aware of the updated rules and their obligations for businesses’ management and disposition of users’ private information:
The SHIELD Act does not mandate specific safeguards but instead provides that a business will be deemed to be in compliance with the reasonableness standard set out in the Act if it implements a “data security program” that includes all of the elements enumerated in the SHIELD Act.
At base you will need “reasonable” administrative, technical, and physical safeguards to protect and securely dispose of New York State residents’ private information. To be sure, you should implement/have implemented a data security program that includes the following:
Reasonable Administrative Safeguards
- designate one or more employees to coordinate the security program;
- identify reasonably foreseeable internal and external risks;
- assess the sufficiency of safeguards in place to control the identified risks;
- train and manage employees in the security program practices and procedures;
- select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
- adjust the security program in light of business changes or new circumstances.
Reasonable Technical Safeguards
- assess risks in network and software design;
- assess risks in information processing, transmission, and storage;
- detect, prevent, and respond to attacks or system failures; and
- regularly test and monitor the effectiveness of key controls, systems, and procedures.
Reasonable Physical Safeguards
- assess the risks of information storage and disposal;
- detect, prevent and respond to intrusions;
- protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
- dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
You should be aware of obligations for reporting breaches, should one occur. Contact your lawyer immediately, and note that “breach” includes unauthorized access to data, not just acquiring data.
Importantly, be aware if the Act applies to you, or if you’re exempt:
- Small businesses — those with fewer than 50 employees or less than $3 million in gross annual revenue — need only ensure that their data security safeguards are appropriate for the size and complexity of the small business, the nature and scope of the small business’ activities, and the sensitivity of the personal information the small business handles.
- Large or small businesses that are in compliance with other regulatory schemes requiring information security (e.g., HIPAA), will be deemed to be in compliance with the SHIELD Act.
If you find yourself outside those exemptions, take steps to make sure you are in compliance. If you have any questions, give me a call.