Does your manufacturing company have employees or customers who live in New York State? Do you keep their private information, such as social security or credit card numbers? Then you need to know about the NYS Shield Act, a law signed by Governor Andrew M. Cuomo last July. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act applies to every company with NYS employees – including businesses based out-of-state. It also applies to companies whose customers include NYS residents.
Under the SHIELD Act, businesses and other organizations are legally responsible for protecting the private information of NYS residents. In addition to names and social security numbers, this includes driver’s license numbers and usernames or email addresses that are password protected. The NYS SHIELD Act also expands notification requirements for security breaches. Because most private information is now stored digitally, cybersecurity is virtually impossible to ignore.
What are “Reasonable Safeguards”?
As the law states, the SHIELD Act requires the holders of NYS residents’ private information to “develop, implement, and maintain reasonable safeguards”. In order to achieve compliance, an organization must implement a data security program that includes three types of safeguards: administrative, physical and technical. Examples of technical safeguards include risk assessments of networks and information processing systems. Measures for detection, prevention, and response may also be required.
Importantly, the meaning of “reasonable safeguards” depends in part on the size of your business. Manufacturers with fewer than 50 employees or less than $3 million in gross annual revenue need only ensure that their safeguards are appropriate for the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the private information. Businesses of all sizes that are in compliance with other data security schemes may already be compliant with the SHIELD Act.
Deadline, Fines, and Available Assistance
Manufacturers and other organizations that hold NYS residents’ private information have until March 21, 2020, to meet the data security requirements of the SHIELD Act. Failure to implement a compliant information security program could result in civil penalties of up to $5,000 against an organization and individual employees for each violation. The New York State Attorney General is responsible for the law’s enforcement.
FuzeHub, the statewide Manufacturing Extension Partnership (MEP) center for New York State, is offering a series of CybersecurityNOW webinars for NYS manufacturers who want to learn more about information security.