A Guide to NYS SHIELD Act Compliance: Data Security Program
Written by Complete Payroll
Consumer data breaches have been on a significant rise in the last 20 years or so, with 1,244 breaches exposing 446.52 million consumer records in 2018 (compared to 157 data breaches exposing 66.9 million records in 2005).
Cybercrime damage as a whole is expected to hit $6 trillion annually by 2021.
Thanks to the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, private consumer data protections in New York State soon will be stronger than ever, requiring businesses to implement new data security programs and “reasonable safeguards” to protect consumer data.
Once you know what the SHIELD Act is, how do you get your company in compliance with its requirements?
The act doesn’t make it the simplest process in the world. There aren’t specific ordinances for compliance. However, the SHIELD Act does mandate some key guidelines for any business handling the private data of New York residents.
Those guidelines state that the business must:
- Designate one or more employees to coordinate a data security program.
- Train and manage those employees in the data security program’s best practices and procedures.
- Conduct an assessment of reasonably foreseeable internal and external causes of a data breach and take the necessary steps to reduce the risk of a breach.
- Vet all service providers, and assure they are contractually guaranteed to protect private data.
- Securely dispose of private data in a reasonable timeframe when it isn’t required for business purposes.
We’ll dig a little deeper into what all this means.
Developing a Data Security Program and “Reasonable Safeguards”
The SHIELD Act does offer some leeway with the definition of “reasonable safeguard” based on the scope and complexity of your business (smaller businesses, while not exempt, only are required to develop security programs that cover the extent of their operations).
For the most part, the act offers some guidelines as to what reasonable safeguards should look like.
At least one employee must be designated to coordinate and lead your security program, and the program itself should cover three specific categories:
Administrative safeguards are meant to track the flow of consumer information through the administration of your company in order to locate any potential vulnerabilities. To do this, your designated employee should create a data map by thoroughly tracking every storage device and user that comes into contact with consumer information during the course of your company’s regular operation.
When the map is complete, the designated employee can conduct a risk assessment in order to locate reasonable gaps and lapses in security. Potential internal and external threats of a data breach should be noted in order to draft a safeguard policy.
It’s important to note that the company still will not be in compliance with the NYS SHIELD Act until part of the safeguard policy includes a contract with a service provider to maintain the new security safeguards.
After the new safeguard policies are developed and the service provider has been contracted, the designated employee is responsible to train employees in data security best practices.
The last step is to audit the safeguards—preferably with the help of the service provider.
Technical safeguards are meant to protect any technology and equipment used to process data, store programs, and otherwise provide content and services to customers.
Effective safeguards will prevent unauthorized access to this technology as well as examine vulnerabilities in the network, weaknesses in the software design, and vulnerabilities in information storage, transmission and processing.
Physical safeguards protect consumer data that is stored on physical devices such as hard drives and printed materials. These safeguards actively detect and prevent intrusion, unauthorized access, and theft of materials during the use of the information, during transport and even after its disposal.