The Stop Hacks And Improve Electronic Data Security (SHIELD) Act has one purpose: to protect the residents of the state of New York and safeguard their digital information. For businesses that operate in the state of New York, that have employees residing in New York, or have any customers or clients in New York, compliance with the requirements spelled out in the SHIELD Act is a must.
With a population of more than 19 million people, the SHIELD Act has far-reaching potential, and businesses with employees or customers in New York need to know how the SHIELD Act applies to their operations.
What Is the SHIELD Act?
Businesses that operate in New York or have employees or customers residing in New York are required to have certain data security protocols in place to protect the personal information of these customers, clients, or employees in digital format to prevent this information from exposure or breach.
The important distinction of the SHIELD Act is it redefines “exposure” with relation to digital information. Previously, a data breach was labeled as the unauthorized possession of this data – gaining access to eventually acquire the data. The SHIELD Act now classifies unauthorized potential access to data as exposure, and the individuals affected by this type of exposure must be notified and credit reporting agencies must offer these individuals identity theft protection services.
What Digital Information Does the SHIELD Act Protect?
The SHIELD Act applies to any person or business that accesses, stores, shares, or uses any of the following sensitive information in digital format of private residents in New York state, including:
- Names
- Social Security and/or Driver’s license numbers
- Credit and debit card numbers
- Financial account numbers or information
- Biometric information
- Account user names or email addresses
With or without PIN codes or passwords, this information is very powerful ammunition for identity theft if acquired, with incredible potential for the 19 million people this could impact.
How Can Your Business Become SHIELD Act Compliant?
The SHIELD Act categorizes businesses into two classifications:
Small Businesses
- Less than 50 employees
- Annual revenue of less than $3 million in each of the past three fiscal years
Small businesses must take reasonable administrative technical and physical protective measures concerning electronic data. What does “reasonable” mean? Reasonable safeguards are those measures considered appropriate for:
- The size and operational complexity of the small business
- The nature and scope of the business and industry
- The sensitivity of the data used by the business
Large Businesses
- More than 50 employees
- Gross annual revenue is greater than $3 million
Small or large, your business has a responsibility to become compliant with the SHIELD Act and take steps with technology security for your digital information:
- Maintain secure IT systems and network
- Limit those who can access your sensitive information
- Train staff on security protocols for uniform access and handling of your sensitive information
Training your staff on security protocols and making sure your processes are uniform is the greatest step you can take to start. Ensuring everyone is applying best practices for data security is crucial, including using strong passwords, updating passwords often, and recognizing phishing attempts to gain access to these passwords will be a solid foundation to prevent unauthorized access to your sensitive digital information and help you maintain SHIELD Act compliance.