<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=690758617926394&amp;ev=PageView&amp;noscript=1">
The Complete Payroll Blog

A Guide to NYS SHIELD Act Compliance: Data Security Program 

Posted by Complete Payroll | Jan 15, 2020 7:00:00 AM

A Guide to NYS SHIELD Act Compliance_ Data Security Program - Complete Payroll

Consumer data breaches have been on a significant rise in the last 20 years or so, with 1,244 breaches exposing 446.52 million consumer records in 2018 (compared to 157 data breaches exposing 66.9 million records in 2005).

Cybercrime damage as a whole is expected to hit $6 trillion annually by 2021.

Thanks to the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, private consumer data protections in New York State soon will be stronger than ever, requiring businesses to implement new data security programs and “reasonable safeguards” to protect consumer data.

Once you know what the SHIELD Act is, how do you get your company in compliance with its requirements? 

The act doesn’t make it the simplest process in the world. There aren’t specific ordinances for compliance. However, the SHIELD Act does mandate some key guidelines for any business handling the private data of New York residents. 

Those guidelines state that the business must: 

  • Designate one or more employees to coordinate a data security program. 
  • Train and manage those employees in the data security program’s best practices and procedures. 
  • Conduct an assessment of reasonably foreseeable internal and external causes of a data breach and take the necessary steps to reduce the risk of a breach.
  • Vet all service providers, and assure they are contractually guaranteed to protect private data. 
  • Securely dispose of private data in a reasonable timeframe when it isn’t required for business purposes. 

We’ll dig a little deeper into what all this means. 

Developing a Data Security Program and “Reasonable Safeguards”

The SHIELD Act does offer some leeway with the definition of “reasonable safeguard” based on the scope and complexity of your business (smaller businesses, while not exempt, only are required to develop security programs that cover the extent of their operations).

For the most part, the act offers some guidelines as to what reasonable safeguards should look like. 

At least one employee must be designated to coordinate and lead your security program, and the program itself should cover three specific categories

Administrative Safeguards

Administrative safeguards are meant to track the flow of consumer information through the administration of your company in order to locate any potential vulnerabilities. To do this, your designated employee should create a data map by thoroughly tracking every storage device and user that comes into contact with consumer information during the course of your company’s regular operation. 

When the map is complete, the designated employee can conduct a risk assessment in order to locate reasonable gaps and lapses in security. Potential internal and external threats of a data breach should be noted in order to draft a safeguard policy. 

It’s important to note that the company still will not be in compliance with the NYS SHIELD Act until part of the safeguard policy includes a contract with a service provider to maintain the new security safeguards. 

After the new safeguard policies are developed and the service provider has been contracted, the designated employee is responsible to train employees in data security best practices. 

The last step is to audit the safeguards—preferably with the help of the service provider. 

Technical safeguards

Technical safeguards are meant to protect any technology and equipment used to process data, store programs, and otherwise provide content and services to customers. 

Effective safeguards will prevent unauthorized access to this technology as well as examine vulnerabilities in the network, weaknesses in the software design, and vulnerabilities in information storage, transmission and processing.  

Physical safeguards 

Physical safeguards protect consumer data that is stored on physical devices such as hard drives and printed materials. These safeguards actively detect and prevent intrusion, unauthorized access, and theft of materials during the use of the information, during transport and even after its disposal. 

Topics: Labor law, Human resources

Learn all about the NYS SHIELD Act.

Written by Complete Payroll

We do payroll, HR, timekeeping and more for employers all over the country from a small, rural town in Upstate New York. And we're constantly publishing articles and other resources to help business owners, HR managers or anyone that helps manage a workforce. Welcome to Payroll Country!

Are you using our free resources?

We're constantly publishing free tools to help with payroll, HR and other administrative objectives.

New call-to-action
New Call-to-action

Subscribe to instant blog email notifications

Recent Posts

General Disclaimer

The materials and information available at this website and included in this blog are for informational purposes only, are not intended for the purpose of providing legal advice, and may not be relied upon as legal advice.  The employees of Complete Payroll are not licensed attorneys. This information and all of the information contained on this website are provided pursuant to and in compliance with federal and state statutes. It does not encompass other regulations that may exist, including, but not limited to, local ordinances. Complete Payroll makes no representations as to the accuracy, completeness, currentness, suitability, or validity of the information on this website and does not adopt any information contained on this website as its own. All information is provided on an as-is basis.  Please consult an attorney to obtain advice with respect to any particular question or issue.