New York State’s New SHIELD Act: What Businesses Need to Know

Cybersecurity has definitely become more of a concern for businesses in recent years. Large scale data breaches such as the Equifax data breach in September 2017 and the almost 1,600 data breaches that occurred across the New York state that same year (as reported by the Albany Business Review) set lawmakers into motion.

In July 2019, Governor Andrew Cuomo signed the law, known as the Stop Hacks and Improve Electronic Data Security, or SHIELD, Act. Overall, it sets up new minimum-security requirements for all entities and persons, both for-profit and not-for-profit businesses that hold computerized, private information that are not already covered by other federal or state mandates for cybersecurity. The law is effective on March 21, 2020. Here are a few highlights for business owners to take note of:

• Requirement of a designated employee (or employees) to oversee the business’s cybersecurity program.
• Identification of both internal and external security risks.
• Regular assessment of the adequacy of safeguards in place to control these identified risks.
• Training of all employees in the security program practices and procedures.
• Expansion of the scope of information subject to the current data breach notification law (reporting requirement) to include biometric information (such as fingerprints), email addresses, and corresponding passwords or security questions and answers.
• Scale back of requirements for small businesses based on revenue size to relieve of any financial strain. (Programs are expected to be relative of their size, type of work and type of data stored.)
• Requirement of businesses to provide written or electronic notifications to customers if their data is breached.

The Business Council of New York State recently applauded the passage and signing of the SHIELD Act:

“NY Attorney General James and the legislative sponsor have listened to New York businesses and developed state law which recognizes federal and state cyber security standards and breach notification procedures, and protects consumers. This commonsense approach to ever increasing cyber threats in today’s technology-driven world shows that business and government can, and should, work together to find solutions that protect both businesses and the consumer.” – John Evers, director of government affairs

Also, cybersecurity insurance is important and recommended, as it helps a business recover from a ransomware attack, security breach or other cyber event. Speak to us about risk management solutions that can help protect your company from cyberattacks and help you to meet the protection requirements customers need. Click here to learn more about cybersecurity insurance.