The New York “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), requires businesses that collect private information on New York residents to implement reasonable cybersecurity safeguards to protect that information. As a result, effective March 21, 2020 employers must implement a data security program which includes measures such as risk assessments, workforce training and incident response planning and testing. The law covers all employers, individuals or organizations, regardless of location, that collect private information on New York residents.
Under the SHIELD Act, “private information” is defined as any individually identifiable information such as name, number (i.e. employee ID number) or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image); or a username or email address in combination with a password or security question and answer that would permit access to an online account.
Over the past couple of months, HR Works has received requests from employers to provide a handbook policy to comply with this law. It must be noted that merely having a policy in the employee handbook regarding the protection of private information will not meet the requirements of the law. A handbook policy can support an employer’s data security program, but to achieve compliance, the SHIELD Act requires employers in possession of New York residents' private information to implement a data security program which safeguards private information.
The SHIELD Act does not mandate specific safeguards, instead it provides that a business will be compliant if it implements a data security program that includes all the elements enumerated in the SHIELD Act. Some key elements with relevance to employers include the following:
- Designating an employee or employees to coordinate the data security program.
- Workforce cybersecurity training which includes training employees in the security program’s practices and procedures.
- Identification of reasonably foreseeable external and insider risks and implementing controls to reduce those risks.
- Vetting service providers and binding them contractually to safeguard private information.
- Developing a process for implementing adjustments to the security program based on business changes or new circumstances.
- Destroying private information securely and within a reasonable amount of time after it is no longer needed for business purposes.
Employers should consult with their IT professionals to ensure reasonable technical safeguards are in place by the effective date.
© 2020 HR Works, Inc. All Rights Reserved