What is the SHIELD Act? Tips for SHIELD Compliance

Table of contents

  1. Why is the SHIELD Act important?
  2. How has the SHIELD Act changed data breach notification requirements?
  3. Who must comply with the SHIELD Act?
  4. How to comply with the SHIELD Act
  5. What are the penalties for not complying with the SHIELD Act?
  6. How is personal information defined in the SHIELD Act?
  7. How is private information defined in the SHIELD Act?
  8. Key takeaways
  9. How UpGuard can protect private information and assess technical safeguards

1. Why is the SHIELD Act important?

2. How has the SHIELD Act changed data breach notification requirements?

  • Computerized data containing private information of a New York resident
  • Reasonably believed to have been accessed or acquired by a person without valid authorization

3. Who must comply with the SHIELD Act?

  • Less than fifty employees
  • Less than three million dollars in gross annual revenue in each of the last three fiscal years
  • Less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles (GAAP)

4. How to comply with the SHIELD Act

  • Reasonable administrative safeguards:such as designating one or more employees to coordinate the security program; identifying foreseeable internal and external risks; assess the sufficiency of safeguards in place to control the identified risks; trains and manages employees in the security program practices and procedures; selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and adjusts the security program in light of business changes or new circumstances
  • Reasonable technical safeguards: Assesses cybersecurity risk in network and software design; assesses risks in information processing, transmission and storage; detects, prevents and responds to cyber attacks or system failures; and regularly tests the effectiveness of key controls, systems and procedures
  • Reasonable physical safeguards: Assesses risks of information storage and disposal; detects, prevents and responds to intrusions; protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal; and disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

5. What are the penalties for not complying with the SHIELD Act?

6. How is personal information defined in the SHIELD Act?

7. How is private information defined in the SHIELD Act?

  • Any personally identifiable information (PII)such as name, number or other identifier coupled with social security number, driver’s license number or non-driver identification card number, account number, credit card or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or account number, credit card or debit card number if the individual’s financial account can be accessed without additional information
  • Biometric information such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which is used to authenticate or ascertain an individual’s identity
  • A username or email in combination with a password or security question and answer that would permit access to an online account.

8. Key takeaways

9. How UpGuard can protect private information and assess technical safeguards

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
UpGuard

UpGuard

https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.