[Jeff Lauria] Hi, I'm Jeff Lauria of iCorps Technologies. Today I'd like to talk about the New York SHIELD Act: Stop Hacks and Improve Electronic Data Security.
That particular law is an Amendment to an existing law. It went into play in March of 2020, and for most organizations that fall under a framework, it really doesn't have a big effect.
The law itself is pretty straightforward. It is designed to protect the data of New York residents. In previous versions, for example, it was only relevant to those businesses that did business in New York. So a business in New York was required to follow this law. While in this new version, it applies to any business that does or holds information about a New York resident.
So, for example, let's say you're a business in California, and you're doing some transactions with a New Yorker. You need to basically follow this law.
Data privacy is really fundamental to everyone, and there are lots of frameworks out there. If you are working in the financial industry, you have a framework. If you're in banking, if you are in health care, a lot of people hear of HIPAA. Those frameworks are designed to keep your data safe, and this is also designed to keep your data safe.
For a lot of organizations, you're already doing that. There's just a couple of things you need to be aware of, and for organizations that are not doing that, this is a great opportunity to protect your client's data, to protect your employee's data, and to really take a look at data privacy
security very deeply.
Now, a couple of things change in this regulation of this law. The first thing is, as I mentioned, it is that of New York residents, no matter where the business is located. The second thing is they've added a couple little twists. Now, it's also that they categorize personal information.
So historically, personal information was names, address, names of driver's license & numbers, social security numbers, bank information, well, they've also said bio information. So fingerprints, voice, things of that nature. Retina scans are also protected information. In addition to which is credit card numbers with or without the pin. And interestingly enough, security questions, this is kind of new, right? So we know that when we log on and we do a password change, they'll ask for security questions. Well, that's also considered private data.
So understanding that's the personal data, what do you do? Well, a couple of things you need to do is every organization should do a risk assessment, right? So you should go out, and you should determine what your data is, where it is, what you're holding, and what the chances of losing your data are.
The second part is that you should do training. Every organization should do training, and they should train their employees on phishing attacks, how to surf on the internet, how to protect data, cybersecurity training. Cybersecurity awareness is very, very important, and as you're going to see in a minute, is very fundamental.
Second & third thing is to take control, right? Take basic controls to safe-gate your data. Be it multi-factor authentication, it doesn't really matter. Vulnerability testing, all of this makes a good security framework.
Now, most organizations have fallen in a framework and are probably already doing this. For the small business — Oh, by the way, if you're less than 50 employees and under $3 million a year, you are exempt from the SHIELD Act. However, you still have an obligation to really maintain people's personal information. And if you think about it, every business has some form of personal information, if you know it or not.
So take these simple steps, do a security assessment, do a risk assessment, put a program into place, understand where your data is. And if you do that, you're one, going to keep data safe. Two, you're doing best practices.
A lot of these laws and regulations don't necessarily tell you what to do or how to do it, but the suggestion is that you follow best industry practices. Now best industry practices change from time to time; actually, frankly, change literally weekly, monthly, yearly.
So ensuring that you are following best industry practices, for example, let's say you had an email breach and you were not using Multi-Factor Authentication. Well, today, Multi-Factor Authentication is industry best practice.
Now, what does that mean? What that means is you may be subject to a penalty. And in New York's case, it's $5,000 per violation. Wow, $5,000 per violation. Not per incident. Per violation.
So let's say, for example, you lost 100 records of personal information. That's $5,000 x 100. There's your penalty. Oh, and if you fail to report, you're going to be hit with another penalty up to $250,000. So understand there is a big impact here.
Now, a lot of folks will say, well, you know what, I have cybersecurity insurance that will take care of it. Well, guess what? If you read through
your policy, you'll find out that unless you are following best practices, security awareness — excuse me — information security program, it's very, very important to know that the policy may not actually cover you during one of these breaches.