Written by: Susie Kenerson, CIPP/US Compliance Privacy Officer at CSR Privacy Solutions, Inc.
In mid-2019, New York passed the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (Senate Bill 5575), adding a specific requirement for businesses who possess private information of New York residents in computerized form to have a data security program in place to protect the private information. This includes businesses located in New York or outside the state.
The effective date for the data security requirement under the SHIELD Act is March 21, 2020.
Under NY Gen. Bus. Law § 899-bb, businesses that own or license computerized data which includes private information of New York residents are required to have an appropriate program for data protection and security of their information systems.
Businesses will be deemed compliant if they implement and maintain administrative, technical and physical safeguards appropriate to the business based on size, type of business activities, and sensitivity of private information held by the business. Some of the reasonable security safeguards are:
New York’s Attorney General may bring an action for violations. Non-compliance with the new data protection and security requirements will be considered deceptive acts and practices, with civil penalties up to $5,000 per violation.
Businesses located in and outside of New York who maintain private information of New York residents must ensure they are compliant with the mandated data and security protections by March 21, 2020.
Your business may already apply best business practices for data protection and security, with appropriate safeguards in place to ensure the security of private information (also known as personal information), from the time the data is collected through the time it is disposed. Or maybe you are a sector-specific business, already complying with data protection and security protocols of laws such as the Gramm-Leach-Bliley Act, HIPAA, HITECH, 23 NYCRR 500, or other regulated federal or state laws. Such entities are deemed compliant with the SHIELD Act requirements.
However, many businesses find themselves lacking the necessary policies, procedures and system security to ensure that all private or personal information collected, used, disclosed to third parties, and disposed of is always protected. Or maybe your business needs to assess its existing practices and systems to make certain safeguards are up to date.
CSR Privacy Solutions, Inc. offers small to medium sized businesses (SMB) the opportunity to be prepared and up to date with best practices for data protection. CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate consequences related to non-compliance associated with the handling of legally protected personal information and the risk of a data breach.
CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their current data protections, privacy policies, procedures, processes and information security programs. Upon completing the assessment, they are presented with suggested improvements for areas the program identifies as deficient.
CSR’s Breach Reporting Service is the REACTIVE solution that provides breach notification assistance for the SMB community. Because, even with all protections in place, companies may still suffer a data breach.
In addition, CSR offers its newest product, CSR-V3 – an automated vendor privacy risk reduction tool which documents vendor management, verification and validation due diligence. Oversight of business vendors to whom you disclose private or personal information is crucial and is among the program safeguards mandated by the SHIELD Act.