3 Things Employers Need to Know About NY SHIELD Act Compliance
The deadline to meet achieve SHIELD Act cybersecurity health is fast-approaching. New York outfits unsure about how to meet the mandate may need an expert.
Is Your Business Ready For NY SHIELD Act Deadline?
To heighten cybersecurity in New York, the governor signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, and business owners are concerned about compliance.
While some companies may view the measure as another mandate that turns into an out-of-pocket business expense, improving cybersecurity in the Empire State is not without merit. According to reports, upwards of 90 percent of all breaches occur in either New York or California. The data stolen by digital thieves often includes critical identity information such as Social Security numbers, addresses, credit cards, bank accounts, and much more.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” New York Gov. Andrew Cuomo reportedly said. “The stark reality is that security breaches are becoming more frequent, and with this legislation, New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
A determined hacker can steal enough information for high-level identity theft use or sell it on the dark web. That being said, it’s understandable that state lawmakers felt compelled to act. Compliance is now crucial for New York businesses, and these are things industry leaders need to know.
1: How Does SHIELD Impact HR Departments?
Cybercriminals view HR files as the crown jewel of data breaches. They can be more valuable than coveted industry secrets in many cases due to their value on the dark web. The SHIELD Act expects employers to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
One of the challenges decision-makers are confronted with is that SHIELD does not necessarily articulate safeguards for specific industries. Compliance is more a matter of implementing cybersecurity measures that reflect those in the Act. In terms of HR, these may include the following.
- Have key employees implement a data security program
- Training and oversight for security measures, best practices, and protocols
- Analyze risks and mandate controls
- Thoroughly vet internet and service providers
- Create contracts with providers that include cybersecurity
- Purge all unnecessary private information from systems
Although your human resources department plays a critical role in developing cybersecurity policy, risk assessment, and implementation often require third party expertise.
2: Enhanced Breach Notification Systems Required
One of the issues that put everyday people at risk of identity theft is not knowing their private information has been siphoned off by a hacker. We’ve all seen the splashy headlines and multi-million dollar lawsuits leveled because individuals were not promptly notified. SHIELD address precisely that issue by broadening its notification rules. Companies are now required to disclose all impacted parties if any of the following information may have been compromised.
- Social Security Number
- Driver’s License Number
- Credit or Debit Card Number
- Any Financial Account Number
Employers should consider creating an automated notification system in the event any private information that calls for a login, PIN, or password, has been accessed in any way by an unauthorized entity. Failure to comply with the SHIELD Act can result in fines doubling, and the new maximum penalty has been increased to $250,000.
3: How Can My Business Achieve SHIELD Compliance?
Entrepreneurs and CEOs need to know that the SHIELD Act outlines two pathways to compliance. Outfits that have under 50 workers or less than million in annual revenue are tasked with cybersecurity measures appropriate for a small business.
More substantial corporations may need to achieve the cybersecurity health associated with the Gramm-Leach-Bliley Act, or New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, among others. There are various industry-specific cybersecurity regulations, and many are consistent with the SHIELD Act. Meeting the standard that applies to your industry could satisfy both criteria if deftly implemented by a cybersecurity expert.
NY State SHIELD Act Compliance
The SHIELD Act takes full effect on March 21, 2020, and the fast-approaching deadline has many small, mid-sized, and large businesses concerned about the fallout for not complying. If you have not implemented a cybersecurity program that meets the standard or are unsure about what needs to be done to comply, contact Atlantic-IT.net, and schedule a SHIELD Act consultation.