Doing Business in NY State? Here’s What You Need to Know About the NY State Shield Act

New York State has implemented formal rules that regulate the data security of state residents. Any business or organization that deals with the private electronic data of NY State residents must be compliant with the NY State Shield Act. Does that apply to your organization? Read on for everything you need to know about maintaining compliance.

Optimizing Security & Protecting Client Data with the NY State Shield Act

The proper handling of confidential electronic data is a huge part of doing business anywhere these days. With more and more business transactions occurring online, protecting electronic customer data is critical. In fact, for businesses who do any kind of business with New York State residents, there are now new rules and compliance regulations in place to ensure client electronic data is properly protected.

On March 21st, 2020 New York State implemented the “Stop Hacks and Improve Electronic Data Security” (Shield) Act. The NY State Shield Act requires any person or business owning or licensing computerized data – including identifying information of any New York State resident –  to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that data.

The most important part? The NY State Sheild Act applies to businesses and organizations who deal with the data of NY State residents even if their organization operates outside of NY State. This means if your company processes transactions or collects any type of data from customers residing in NY State, you’re required to get and stay compliant with the NY State Shield Act.

We know that many of our clients fall under the jurisdiction of these new regulations. So, we thought we would put together a brief guide explaining what the NY State Sheild Act is all about and how all businesses and organizations can stay compliant. Keep reading to understand everything you need to know about NY State Shield Act compliance.

Breaking Down the Basics: Understanding the NY State Shield Act

The NY State Shield Act is all about protecting consumer data through the implementation of reliable cybersecurity standards and strategies. The Sheild Act is designed to protect the private data of NY State residents through the implementation of reasonable administrative, technical, and physical safeguards. Let’s break down some of this jargon below.

What is considered private data? 

Private data includes any kind of confidential data that could identify a client. This might include:

  • Login credentials like usernames, email addresses, passwords, or security questions and answers that permit access to online accounts.
  • Unencrypted personally-identifying information like names, account numbers, or any other kind of personal markers that could be used to identify a client or customer.
  • Formal identification data like social security numbers, driver’s license numbers, or other markers from client forms of identification
  • Financial data like banking account numbers, credit or debit card numbers, as well as security codes, access numbers, or login credentials for such financial accounts.
  • Biometric information used for finger-print or face-scanning technologies.

What are some examples of reasonable administrative safeguards?

  • Designating one or more employees to plan and coordinate a cybersecurity and compliance effort.
  • Identifying potential data security & compliance risks both internal and external to the organization.
  • Assessing current safeguards and addressing areas of vulnerability to control identified risks.
  • Comprehensive data security & compliance training and management for employees.
  • Partnering with professional cybersecurity & compliance specialists to implement and maintain contractually required safeguards.
  • Continually adjusting cybersecurity & compliance strategies to reflect changes to business conditions and new circumstances.

What are some examples of reasonable technical safeguards?

  • Completing a comprehensive risk assessment for all network and software resources within an organization.
  • Completing a comprehensive risk assessment for all processes related to data processing, transmission, and storage within an organization.
  • The swift detection, prevention, and response to system failures and data breaches.
  • A commitment to regular and ongoing effectiveness-testing and monitoring of key cybersecurity controls, systems, and procedures.

What are some examples of reasonable physical safeguards?

  • Completing comprehensive risk assessments of data storage and disposal protocols within an organization.
  • Implementing a reliable system for detecting, preventing, and responding to network breaches.
  • Deliberately protecting against unauthorized access or misuse of client data during the collection, transmission, transportation, storage, or disposal of such data.
  • Creating a secure and compliant plan for disposing of private client data within a reasonable timeframe after it is no longer required for business purposes. This includes creating a plan for erasing electronic data in a way that prevents it from being read or reconstructed after the fact.

Here’s How You Can Stay Compliant with the NY State Shield Act

Now that we’ve discussed what the NY State Shield Act is all about, let’s talk a little bit about what compliance looks like for different organizations. The real determinant here is the size of your business. The larger your organization, the more safeguards you’ll need to implement to maintain compliance.

For instance:

  • For a small business with less than 50 employees and less than 3 million dollars in annual revenue from each of the past 3 fiscal years, you need to implement the reasonable administrative, technical, and physical safeguards listed above to protect data.
  • For a larger business, with over 50 employees and more than 3 million dollars annual revenue in each of the past 3 fiscal years, there are a few additional things you need to make sure of so you know you have the right security measures in place to protect larger amounts of private data for clients residing in NY State.

For more detailed information about the requirements for different business types and sizes, you can read the entire NY State Shield Act Senate Bill here. 

Why Compliance Matters & Why You Should Call in Professional Support

In the meantime, you might be wondering about some initial, baseline strategies that will help you start taking NY State Shield Act compliance seriously. The fact of the matter is, compliance is very important and the financial penalties for non-compliance are steep – up to $5000 per violation. That can be a devastating hit to your organization’s bottom line.

So, here are some initial tips and tricks to get serious about data security & compliance:

  • Stay in the know about existing threats to data security. This might include getting informed about common phishing or social engineering scams that are designed to capture and steal user data. The more you know about your enemy, the better you’ll be able to prepare compliance strategies.
  • Talk to your team about the importance of data security and compliance with the NY State Shield Act. By making things a team effort, you’ll increase your lines of awareness and defense.
  • Make cybersecurity planning and strategizing a deliberate effort. The more you get policies and regulations on paper, the easier it will be to monitor effectiveness and maintain compliance for the long haul.
  • Most importantly, partner with a reliable and strategic team of IT experts When you partner with a team of experts that speak cybersecurity fluently, you’ll go a long way toward building security, compliance, and peace of mind for your organization. Be sure to choose an IT service provider who is familiar with the NY State Shield Act and understands the rules and regulations thoroughly.

Compliance and data security can seem like a daunting task. But when you break it down into more manageable tasks and goals, you can develop a system that helps you maintain compliance regularly and continually address points of vulnerability. All in all, the NY State Shield Act is in place to protect consumer data, but it’s also in place to help you protect your organization’s continuity. The sooner you start working towards secure and compliant business processes, the sooner you can get back to the pressing business that matters.

Ready to get compliant with the NY State Shield Act? We’d love to help. Give us a call anytime at (949) 379-8499, drop us a line at [email protected], or visit our website at www.technijian.com to chat with a live agent and book an IT compliance consultation.

Ravi JainAuthor posts

Technijian was founded in November of 2000 by Ravi Jain with the goal of providing technology support for small to midsize companies. As the company grew in size, it also expanded its services to address the growing needs of its loyal client base. From its humble beginnings as a one-man-IT-shop, Technijian now employs teams of support staff and engineers in domestic and international offices. Technijian’s US-based office provides the primary line of communication for customers, ensuring each customer enjoys the personalized service for which Technijian has become known.

5 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *