In July 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security act (SHIELD) into law. This law affects any organization that holds private information for New York state residents. A greater understanding of key components of the New York SHIELD law will ease regulatory compliance for manufacturers and other businesses.
In summary, SHIELD expands data breach notification requirements and mandates that organizations create or update a data security program. To meet these requirements, manufacturers must address risk, review vendor compliance, and ensure proper notification in the event data becomes compromised.
The strict breach notification requirements of New York’s SHIELD law have already taken effect. To comply, organizations must understand how the law broadens the definitions of both “private information” and “data breach.”
In the event of a breach, organizations must immediately notify the New York residents whose personal information was compromised. They must also notify the New York state attorney general and the state police.
Organizations have until March 2020 to comply with SHIELD’s data security program requirements. The law requires that organizations deploy reasonable security measures in terms of administrative, technical and physical safeguards. Some examples of these safeguards include the following:
These requirements can seem overwhelming for small manufacturers. However, the regulations do include some concessions for small businesses. New York’s SHIELD law defines small businesses as those with less than 50 employees, less than $3 million in gross annual revenue or less than $5 million in total assets.
In addition to implementing their own security programs, organizations must also assess any risk involved with third parties. For instance, many organizations outsource some storage and processing of private information to vendors. In that case, they must review and update vendor contracts to ensure that vendors also provide appropriate safeguards.
Although addressing SHIELD regulations requires an investment of time and budget, the penalties for non-compliance can prove even more costly. Violations can result in fines of up to twenty dollars per failed notification, capped at $250,000. And violations of the data security program regulations can cost up to $5,000 per single violation, with no cap.
The consultants at eMazzanti can help you build a comprehensive cyber-security program to ensure regulatory compliance. With deep experience in manufacturing data security and information governance, we will guide you through the maze of the New York SHIELD law. From risk assessment to security controls and data retention policies, we have you covered.
In today’s fast-paced digital landscape, businesses cannot thrive without effective collaboration. Microsoft continues its unwavering…
An email signature accomplishes much more than simply telling readers who you are and how…
Cyber security professionals work hard to safeguard companies’ information. But with criminals constantly changing their…
Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is an e-mail security protocol designed to validate…
My job is to manage my law office’s cloud servers here at Justice Freaks. As…
My worst nightmare would be to date someone who isn’t who they say they are.…