The New York State SHIELD Act is in place. Are you compliant? If not, there will be fiscal penalties, so here's what you need to know to meet requirements.
At our webinar in January, Bit by Bit and Arctic Wolf brought you up to speed on the recently-passed New York state SHIELD Act that strengthens protection against data breaches affecting private information. It imposes more expansive data security and updates data breach notification requirements.
Here's what is considered private information and the new definition of a breach:
- Personal information + private information, or
- Credit/debit card information, with or without identifying information, or
- Username/email + password/security question
In the event of a breach, if you notify according to the Gramm-Leach-Bliley Act, HIPAA or the HITECH Act, the NY Department of Financial Services Cybersecurity Regulation, the SHIELD Act does not require additional notice. But you will still have to notify the NY Attorney General, the NY Department of State, and NY State Police.
You'll also need to adopt safeguards for information security, confidentiality, and integrity while implementing a data security program encompassing:
- Risk assessments
- Employee training
- Vendor contracts
- Timely data disposal
These fall into these categories:
- Dedicated cybersecurity staff
- Identify internal / external risks
- Assess sufficiency of safeguards
- Train employees on security
- Third party vendor management
- Risk Assessment
- Detection & Response
- Information Storage/Disposal
- Unauthorized Access
- Data Destruction
Read more about the SHIELD Act here:
If you are scrambling to make sure you are compliant, just ask us. We can help!