In an increasingly digital world, cybersecurity is more important than ever. New York is the latest state to set new business practice standards regarding the collection and protection of private consumer information. The SHIELD Act, or the “Stop Hacks and Improve Electronic Data Security” Act, requires businesses that collect information on New York residents to implement a written information security program (WISP).

The SHIELD Act goes into effect on March 21, 2020. It’s important for business owners to prepare accordingly and implement new cybersecurity measures, if necessary.

What does the WISP need to include?

The written information security program needs to include many elements, but the three main components are:

  • Administrative safeguards, which might include designating employees to monitor data security, identifying potential risks and creating procedures for applying new technological developments
  • Technical safeguards, which might include risk assessment of the software and storage equipment, regular monitoring and more
  • Physical safeguards, which includes prevention and response to intrusions, breaches and unauthorized access. It also necessitates procedures for safely disposing of information.

What kind of information does the SHIELD Act protect?

According to the new law, SHIELD protects “private information.” The state of New York defines private information, with respect to the SHIELD Act, as:

  • Individually identifying information, such as name, phone number or address in conjunction with a social security number or credit or debit card. Security codes also qualify as protected, as does biometric information. Any information that could be used to access online financial or personal accounts is protected.
  • Identifying information with an account number, credit or debit number, just in case it would be possible for someone to access the account without the additional info or a security code.
  • A username and password that accesses online accounts.

Who does the SHIELD Act apply to?

The Act applies to all businesses collecting information on New York residents, no matter the home location of the business itself. There are some exceptions, however. Companies with fewer than 50 employees, less than three million in gross revenues in the past three years or less than five million in year-end total assets are exempt. These businesses will still need a data security program, but they can implement it to scale. Other exceptions include businesses protected by GLBA, HIPAA or the New York State Department of Financial Services cybersecurity relations. These companies are already deemed compliant.

Santomassimo Davis LLP is a premier Outside General Counsel™ firm to mid-cap businesses. The issues discussed in this article are typical of those that we handle for clients as we help them navigate the legal and regulatory matters affecting their businesses. For help with these issues or to learn more about the Outside General Counsel™ solution, please contact us on OGCSolutions.com.