New York State SHIELD Act Noncompliance

Today’s digital economy offers a myriad of exciting opportunities for businesses involved in every industry imaginable. Unfortunately, this setup carries its fair share of risks. Chief among them: security issues that can compromise the personal information of customers, clients, and employees. This represents a huge source of concern among today’s consumers, who want to know that the businesses they patronize take their security seriously.

Unfortunately, while many businesses make a clear effort to protect customers from digital threats, others neglect to consider how consumers could be compromised while taking advantage of digital services. In light of these issues, New York has spearheaded a campaign to hold companies accountable.

In an effort to address digital negligence, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law in 2019. This legislation offers extensive guidance on consumer data protection. While many applaud its efforts, several businesses struggle to understand how to enact the law’s provisions — or what will happen if they fail to comply.

It’s important to get in the know, especially as the SHIELD Act officially went into effect in March 2020. In an effort to address lingering concerns surrounding implementation and enforcement, we offer a detailed explanation of its provisions and penalties below:

New York State Shield Act

What Is the SHIELD Act?

The SHIELD act provides an update to New York’s previous laws surrounding consumer data protection. The law greatly extends the state’s existing notification requirements for security breaches. Companies covered by the legislation must “develop, implement, and maintain reasonable safeguards” in the interest of protecting the “confidentiality and integrity of private information.”

While the SHIELD Act does not provide specific safeguards, it deems any company that implements a data security program as compliant. Such programs may vary based on the nature of the organizations in which they’re implemented, but all must contain the following key elements:

  • A designated employee responsible for coordinating the data security program
  • Extensive training to ensure that employees understand security program procedures
  • Thorough vetting for potential and current service providers
  • Internal and external risk assessments
  • The destruction of private information within a reasonable amount of time

Who Must Abide By the SHIELD Act?

A wide variety of businesses must comply with New York’s SHIELD Act. This law applies to any organization with employees, as its definition of ‘private information’ includes personal names and Social Security Numbers — both of which are required before an organization and individual can take on an employee-employer relationship.

Additionally, the law applies to all other businesses that in some way require private information from employees or customers. Other examples of data deemed private include:

  • Driver’s license numbers
  • Debit or credit card numbers
  • Biometric information
  • Login information such as usernames accompanied by passwords

The breadth of the legislation underscores the need for all New York businesses to gain a thorough understanding of how the law works and the consequences they might suffer if they fail to comply.

Who Enforces Penalties For Noncompliance?

The SHIELD Act is enforced by the New York State Attorney General Letitia James. In a statement released shortly after the legislation was enacted, Attorney General James explained, “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”

What Happens to Organizations That Don’t Comply?

Businesses that fail to abide by the SHIELD Act risk a variety of harsh consequences. Civil penalties include fines of up to $5,000 per violation. Given the sheer number of violations that can occur if a company is non-compliant for even a brief period of time, these fees can add up quickly.

Further costs may arise if businesses fail to provide proper notice when security incidents occur. Specifically, companies must deliver written notice of incidents involving the private data of more than 500 individuals. Organizations that fail to abide by this notification requirement could be forced to pay the losses of those entitled to notice. Additional fees could include $20 for every failure to notify appropriate parties — up to a maximum of $250,000.

While the civil cost of failing to comply with the SHIELD Act can be significant, the problems don’t end there. Noncompliance can also lead to significant reputational damage.

Customers are increasingly concerned about how and under what circumstances companies use their private data. They want to know that their information is adequately protected at all times. If they become aware of a company’s failure to comply with the SHIELD Act, they may be reluctant to utilize that organization’s digital services.

Countless examples point to the major loss of trust that occurs following a data breach, even when the company in question has made every effort to secure consumers’ data. New York businesses simply cannot afford the reputational implications of failing to comply with the SHIELD Act, even if they are able to avoid breaches.

The SHIELD Act may seem harsh, but it intends to protect increasingly vulnerable data from the very real threat of cyberattacks. Compliance with this law goes beyond avoiding civil penalties — it establishes a much-needed sense of trust among digital consumers and could pave the path to a more secure digital environment in the future.

Given the increased requirements for cybersecurity in New York, it’s more important than ever to update security protocols. Robust managed IT security can make all the difference. The sooner your business seeks assistance in implementing a reliable and highly secure infrastructure, the better.