Storing Private Information Belonging to New York Residents?
SHIELD Act Takes Effect March 21st, 2020
What Organizations In Western New York Need To Know Today.
On July 25th, 2019, Governor Andrew Cuomo signed the SHIELD act into law. SHIELD stands for Stop Hacks and Improve Electronic Data Security – an act designed to amend the current data breach notification law in New York. The goal is to ensure better protection for residents against data breaches containing their private information. The SHIELD act takes effect on March 21st, 2020 – meaning all businesses throughout the state should be well aware of what’s involved and how to comply. There are significant changes imposed, including:
- Expanding the definition of a “breach” to include unauthorized access to computerized data that may compromise the confidentiality, integrity, and security of private information.
- Expanding the definition of “private information” to include a more extensive range of data, including biometric information, as well as:
- Username/email addresses in combination with a password and/or answers to security questions.
- Account numbers or debit/credit card numbers, even without the password and/or access code if the account could be accessed without it.
- Expanding the territorial scope of the breach notification requirement to any business that works with and holds the private information of a resident in the state rather than only focusing on those who conduct business in the state.
- Requiring greater data security safeguards to be implemented for the protection of private information. This includes disposing of data in a timely, appropriate manner, scheduling regular risk assessments and employee training, as well as having a data security program and proper vendor contracts in place.
The state is taking consumer privacy and confidentiality more seriously, so what are you doing to comply?
Keep in mind that although the data security requirements take effect on March 21st, 2020, the breach notification amendments take effect on October 23rd, 2019. You must develop, implement, and maintain reasonable safeguards that protect the confidentiality, integrity, and security of private information.
How should your human resources department be involved?
The HR department is typically responsible for various areas, including employee training and policies. They can help you maintain compliance with the SHIELD act by:
- Designating an employee or an entire team to coordinate the creation of a data security program.
- Ensuring private information is destroyed within a reasonable time period after it’s not deemed necessary.
- Vetting any and all third-party service providers and making sure they’re contractually obligated to protect private information.
How should your technology partner be involved?
Naturally, when it comes to safeguarding your environment, your technology partner should be actively involved in terms of ensuring proper data security and backups, protecting the network against attacks, and training your team on best practices. If they’re not involved or you don’t have a Buffalo technology partner, it’s important to find one who is well-versed in the realm of cybersecurity to help you:
- Perform a thorough risk assessment wherein they identify vulnerabilities and implement controls to reduce them.
- Create an employee training program wherein they train employees on the latest threats, how to respond to them, and more.
The SHIELD act impacts every business that holds private information of a resident of the state. New York businesses can trust Buffalo Computer Help for help with safeguarding their network, systems, and private information. Call (716) 206-3200
or email: firstname.lastname@example.org.