In July 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security act (SHIELD) into law. This law affects any organization that holds private information for New York state residents. A greater understanding of key components of the New York SHIELD law will ease regulatory compliance for manufacturers and other businesses.
In summary, SHIELD expands data breach notification requirements and mandates that organizations create or update a data security program. To meet these requirements, manufacturers must address risk, review vendor compliance, and ensure proper notification in the event data becomes compromised.
The strict breach notification requirements of New York’s SHIELD law have already taken effect. To comply, organizations must understand how the law broadens the definitions of both “private information” and “data breach.”
In the event of a breach, organizations must immediately notify the New York residents whose personal information was compromised. They must also notify the New York state attorney general and the state police.
Organizations have until March 2020 to comply with SHIELD’s data security program requirements. The law requires that organizations deploy reasonable security measures in terms of administrative, technical and physical safeguards. Some examples of these safeguards include the following:
These requirements can seem overwhelming for small manufacturers. However, the regulations do include some concessions for small businesses. New York’s SHIELD law defines small businesses as those with less than 50 employees, less than $3 million in gross annual revenue or less than $5 million in total assets.
In addition to implementing their own security programs, organizations must also assess any risk involved with third parties. For instance, many organizations outsource some storage and processing of private information to vendors. In that case, they must review and update vendor contracts to ensure that vendors also provide appropriate safeguards.
Although addressing SHIELD regulations requires an investment of time and budget, the penalties for non-compliance can prove even more costly. Violations can result in fines of up to twenty dollars per failed notification, capped at $250,000. And violations of the data security program regulations can cost up to $5,000 per single violation, with no cap.
The consultants at eMazzanti can help you build a comprehensive cyber-security program to ensure regulatory compliance. With deep experience in manufacturing data security and information governance, we will guide you through the maze of the New York SHIELD law. From risk assessment to security controls and data retention policies, we have you covered.
With a global customer base, eMazzanti Technologies positions engineers and project managers in various locations…
Over a period of three weeks, most of the workforce in the United States found…
Three years ago, Microsoft launched Teams, a powerful component of Office 365 (now Microsoft 365),…
In our new work-from-home (WFH) world, the requirement for on demand video conferencing has exploded…
With the majority of employees working from home this spring, organizations have encountered new challenges.…
The average small to medium business (SMB) has most likely migrated at least some essential…