The New York State SHIELD Act, which went into effect on March 21, 2020, is one of the most aggressive state data breach notification laws in the United States. This law applies to a New York person or business (even those operating outside of New York state) that collects and maintains New York residents’ “private information”. Although the SHIELD Act applies to “a New York person or business that owns or licenses computerized data, which includes private information, of a resident of New York”, small businesses are particularly vulnerable due to the constant collection and transmission of private information. Regardless of size, every small business must support a security program, and adopt “reasonable” administrative, technical and physical safeguards for the sensitive personal information they collect. This includes clients who send a small business information via email in an unsecured fashion. Small businesses collect and store more sensitive personal information than they may realize. A data breach that causes exposure of customer / client information could lead to damage claims, compliance costs, loss of business, and damage to the company’s reputation that may take years to rebuild. Any small business that has a cyber incident involving the private information of a New York State resident must notify the New York attorney general within ten days of that realization.
Penalties are $20 per failed notification with a maximum penalty of $100,000 to $250,000. For "reasonable safeguard” requirement violations, penalties are up to $5,000 per violation.
Ignoring the requirements due to a lack of time, a reluctance to spend money or a fear of change is not an excuse the New York Attorney General will accept.
In fact, a decision to stall, delay or do nothing is a decision to accept the abundant cyber risks associated with the small businesses as well as the harmful and costly penalties that follow.
The upfront investment to protect the company is inconsequential compared to the extreme recovery costs and pain after the fact. Your company could be held accountable for damages as well as litigation costs, and future insurance premiums are likely to increase if the company is found at fault or irresponsible in their duty to take the necessary safety measures.
Roark Tech Services recommends proactive administrative, physical and technology controls developed from industry best practices and frameworks to help ensure compliance with the New York SHEILD Act as well as other state, federal and international requirements around data privacy.
Conduct a Security Risk Assessment: Assessments supply complete insight into the overall security posture of the company and offer the opportunity to develop a practical roadmap (prioritized, budgeted) that better safeguards a company’s stability and protects the confidentiality and integrity of sensitive information. Conduct a Penetration Test: These tests expose weaknesses within a company’s infrastructure that allow bad actors the ability to gain access and check the network, getting and compromising sensitive data. The results of these tests become part of the roadmap to remediate and mitigate vulnerabilities.
Make our “Security Checklist” a Priority: These are baseline controls we designed to protect all types of small businesses:
Prioritizing these controls in the security roadmap are cost-effective in terms of time, money and effort than responding to a cyber security incident. The best way to reach SHIELD compliance is by working with a Managed IT Service Provider, especially if the business lacks the IT knowledge to create a data security plan. To ensure compliance with these updated regulations and, as is their goal, remain protected from cyber threats, work carefully with your IT team to update security measures and practices considering the SHIELD Act’s new conditions.