Businesses with Operations In New York Need to Know the SHIELD Act
The state of New York has a population of more than 19 million people, and businesses with operations in New York need to be aware of the SHIELD Act. The Stop Hacks And Improve Electronic Data Security (SHIELD) Act has one focus, and that’s to protect the residents of New York State and their information in electronic format.
Businesses have been subject to regulatory oversight for decades – that’s nothing new. Compliance is a daily necessity in business, but the SHIELD Act is unique because it applies to businesses that operate in New York with employees residing in New York or have customers or clients in New York.
What Is the SHIELD Act?
If you’re a business who operates in the state of New York, more specifically with employees or customers or clients residing in the state of New York, you are required to take steps with your technology to actively safeguard the personal information of these employees, customers or clients, in effort to prevent this data from being exposed. The population of the state of New York represents more than 15% of the United States, so exposure of this information has the potential to be crippling to all involved.
The significance of the SHIELD Act is how it redefines “exposure” when it comes to information. The distinction with the SHIELD Act is where previously the breach was considered to be the unauthorized acquisition of data where now it applies to unauthorized access. Even potential access to this information now requires the affected individuals to be notified and for credit reporting agencies to offer identity theft protection services to impacted consumers.
What Information Does the SHIELD Act Protect?
The sensitive data of private residents in New York state includes details like:
- Names
- Social Security numbers
- Driver’s license number
- Credit and debit card numbers, with or without PIN codes
- Financial account numbers or information
- Biometric information
- Account user names or email addresses – with or without passwords
It’s clearer now how exposure of this information of more than 19 million people could have a staggering effect, and why the SHIELD Act mandates minimum data security requirements for protecting this data.
The SHIELD Act applies to any person or business that accesses, stores, shares, or uses this information in a computerized format.
What Does Your Business Need to Do to Comply with the SHIELD Act?
Businesses under the SHIELD Act fall into one of two classifications:
Small Businesses
- You have less than 50 employees
- Your annual revenue is less than $3 million in each of the past three fiscal years
Small businesses are required to take reasonable administrative technical and physical safeguards to protect your data in electronic format. What does “reasonable” mean? Reasonable safeguards are those measures considered appropriate for:
- The size and operational complexity of the small business
- The nature and scope of the business and industry
- The sensitivity of the data used by the business
Large Businesses
- You have more than 50 employees
- Your gross annual revenue is greater than $3 million
No matter which classification your business fits into, your business will need to take steps with technology security for your data:
- Maintain secure IT systems and network
- Limit those who can access your sensitive information
- Training, training, training
Training staff on security procedures and best practices for data security is the most important step you can take, including using strong passwords, how often to update passwords, and how to recognize phishing attempts to gain access to these passwords.