Shield Act

Stop Hacks and Improve Electronic Data Security Act [SHIELD Act]
https://legislation.nysenate.gov/pdf/bills/2019/S5575B

NY State Senate Bill S5575B
Signed into law: July 25, 2019

PURPOSE

New York's data breach notification law needs to be updated to keep pace with current technology. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.

WHAT

The SHIELD Act requires businesses in possession of New York residents' private information to "develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to disposal of data.

The bill imposes stronger obligations on businesses handling private data of customers, regarding security and proper notification of breaches.

WHO

Businesses with access to personal and private information of New York residents. Including but not limited to:

  • Name and other identifiers
  • Social security, driver licence or other officially issued government card numbers
  • Financial account, credit or debit numbers
  • User identification and passwords for access to sensitive information
  • Anything not publicly available

WHEN

Law takes effect in two phases

  • Official law takes effect October 22, 2019
    [90 days from July 25, 2019]
  • Section 4 : Notification remedies takes effect March 20, 2020
    [240 days from July 25, 2019]

COMPLIANCE

The SHIELD Act provides that a business will "be deemed to be in compliance with" this standard if it implements a "data security program" that includes all of the elements enumerated in the Act.

BoardPackager ensures our clients stay in compliance.


Reasonable administrative safeguards such as the following, in which the person or business:
Shield Act BoardPackager Solution
Designates one or more employees to coordinate the security program BoardPackager point person working with your IT department Check green 2 01
Identifies reasonably foreseeable internal and external risks BoardPackager regularly conducts these checks, includes client feedback Check green 2 01
Assesses the sufficiency of safeguards in place to control the identified risks BoardPackager assesses safeguards aided by third-party security audit Check green 2 01
Trains and manages employees in the security program practices and procedures Provided by BoardPackager Check green 2 01
Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract BoardPackager Standard Check green 2 01
Adjusts the security program in light of business changes or new circumstances Consistent system updates and new features by BoardPackager Check green 2 01
Reasonable technical safeguards such as the following, in which the person or business:
Shield Act BoardPackager Solution
Assesses risks in network and software design Conducted by BoardPackager regularly, includes client feedback Check green 2 01
Assesses risks in information processing, transmission and storage Conducted by BoardPackager regularly, includes client feedback Check green 2 01
Detects, prevents and responds to attacks or system failures Conducted by BoardPackager, and third-party security audit Check green 2 01
Regularly tests and monitors the effectiveness of key controls, systems and procedures Conducted by BoardPackager, and third-party security audit Check green 2 01
Reasonable physical safeguards such as the following, in which the person or business:
Shield Act Boardpackager Solution
Assesses risks of information storage and disposal Conducted by BoardPackager regularly, includes client feedback Check green 2 01
Detects, prevents and responds to intrusions Conducted by BoardPackager, and third-party security audit Check green 2 01
Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information Conducted by BoardPackager, and third-party security audit Check green 2 01
Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed Conducted by BoardPackager, and third-party security audit Check green 2 01
We have detected that your browser is out of date

This site works best with the most up-to-date browser. The button below will bring you to a site that allows you to download the most current version of your favorite browser. Update My Browser

×