by Richard Ruzzo
On July 26, the Shield Act was signed into law by Gov. Andrew Cuomo to direct that better security measures and policies are put in place by all business that store, maintain or electronically handle non-public personal information (NPPI) to help protect against hackers obtaining an individual’s personal and private information.
The law is set to take effect March 21.
What determines a breach in a security system?
A breach occurs when one’s NPPI is exposed, made vulnerable or stolen from the host organization by unscrupulous data thieves. The information at risk and covered by the new statue is as follows:
Any data that is compromised and consisting of any combination of; name, Social Security number, driver’s license number or non-driver identification card, account number, credit card number, security access code, password or PIN to a financial account, username/email address with a security question/password and any biometric data information based on unique features that can be viewed digitally.
Businesses that are already regulated and that need to comply with data breach notifications for state or federal laws are also covered by the statue and must contact the state Attorney General, the Consumer Protection Board and the State Police if a breach occurs. The Attorney General’s office has far reaching powers when it comes to enforcement and businesses who have any exposure to these types of data breaches must enact a prescribed set of safeguard before the deadline.
Businesses must also take security measures to help maintain and protect the confidentiality, integrity and security of that information.
Who is affected? Just about everyone.
Businesses with less than 50 employees, less than $3 million in gross revenue for each of the last three years and total no more than $5 million in year-end total assets are subject to the requirements. Any small business is subject to the statute and must take steps to implement reasonable safeguard requirements before a breach occurs.
What can happen if a company is found to be in violation?
Civil penalties can be brought on by the Attorney General for data breach violations and the court may award damages for actual losses or costs to a person impacted by the breach. Businesses that the AG deems willful in their lack of action will be considered reckless violators and could face penalties greater than $5,000 or up to $20 per incident with a cap of $250,000.
What can you do to help reduce your risk?
Have a written security policy in place to present to the AG in the event of a breach
Schedule a vulnerability assessment and make sure to have ongoing monitoring of those vulnerabilities
Provide employee security awareness training to all employees in the company
In reality, many small businesses do not have the staff to create policies, perform the penetration testing, assessments or monitoring. There are companies that can assist businesses with helping to comply with all requirements.
Ruzzo is managing partner, COO, of Shepherd Communication and Security.