New cybersecurity law imposes stricter guidelines. Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

These are great news for New York residents’ information security. As of March 21, any company that digitally operates data, including the personal information of any city resident, will be required to implement strict controls and protections to ensure the protection of such data.

Last year, the New York Congress passed a law aimed at improving the digital management protections of private information for the city’s residents. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires companies to implement adequate safeguards for handling this information, as well as setting stricter requirements for data breach incidents’ notification.

What are these modifications?

One of the main changes this law will bring is the inclusion of the concept of “private information”, defined in the SHIELD Act as:

  • Any username or email address, with their respective passwords, used to access an online account
  • Personal information (names, telephone numbers or any other personally identifiable data), in combination with any of the following data:
    • Social Security Number
    • Driver’s license number or non-driver ID card number
    • Bank account numbers and payment card numbers, in combination with any security code, access code, password or other required information that allows access to an individual’s financial account
    • Biometric data such as fingerprints, voice records, retinal or iris image, etc.

As of the entry into force of SHIELD Act, any company in possession of digital information records shall ensure the implementation of the relevant cybersecurity programs and policies. These security measures shall include:

  • Appropriate administrative safeguards. Companies operating private information of New York residents must:
    • Appoint staff to coordinate security programs
    • Identify foreseeable risks internally and externally
    • Assess the performance of these security measures
  • Appropriate technical safeguards. Companies must:
    • Assess potential risks in the design of networks and software used
    • Assess risks in the processing, transmission and storage of private information
    • Detecting and preventing system flaws, as well as bringing incident response
  • Appropriate physical safeguards, so companies must:
    • Assess the risks of secure data storage and deletion
    • Detect, prevent and respond to malicious intrusions appropriately

It should be noted that small businesses are exempt from complying with this legislation. The SHIELD Act considers as “small business” those with the following characteristics:

  • Businesses with less than 50 employees
  • Companies that have incomes lesser than $3 million USD in gross revenue in each of the last three fiscal years

There are a few days left for companies subject to this legislation to implement the relevant security measures. Otherwise, the New York government could impose serious legal action.