Not many companies are aware of the repercussions of the recently adopted cyber security guidelines relevant to all employers in New York State.  On July 26, 2019 governor Cuomo signed the "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, requiring businesses to implement safeguards for the "private information" of New York State residents and broadening New York's security breach notification requirements. Previously, for a breach to trigger a consumer notification, private information would have had to be actively acquired by an unauthorized party. Now, a notification must be sent to any consumer whose data was simply accessed by an unauthorized party. As a result of this change far more breaches will be covered under the SHIELD Act. 

According to the Society for Human Resource Management (SHRM), all employers with employees in New York must comply with the SHIELD Act because "private information" includes an individual's name and Social Security number. "Private information" also includes a driver’s license number, credit or debit card number, financial account number (with or without security code, as long as an unauthorized person could gain access to the account), biometric information, and usernames or e-mail addresses with a password that permits access to an online account. Many businesses without a New York State presence may be required to comply as the law applies to any business that maintains the private information of New York residents.

Requirements to protect data have been in place for a large portion of the public sector for years (Medical (HIPAA), Finance (GLBA), and Manufacturing (ISO) are some of the more common examples). This is the first time New York State has introduced cyber security controls to all general businesses across the board.

To summarize, if you own a business and have failed to implement a “reasonable” cyber security program, New York State can fine you if you experience a breach of your confidential information or if you fail to report such a breach under the new law. If your company has a data breach, you will be subject to potential fines of $25,000 or more depending on the size of your business.

Below are the high level requirements of the new law:

1)      Implement reasonable safeguards

1. Protect sensitive information
2. Implement policies and procedures
3. Vendor management
4. Access restrictions to private information

2)      Designate at least one person to coordinate cyber security and breach reporting

3)      Perform routine risk assessments of your company’s data network

1. Auditing
2. Vulnerability scanning and testing

(If you would like to read the entire law, please visit The New York Senate or New York Attorney General).

One of the biggest questions about this law is: what does New York State consider to be “reasonable” in terms of creating a cyber security program? One might consider password protected computers and antiviral software reasonable; however, under New York State Department of Financial Services (NYSDFS) regulations that is not even close to being compliant as there are a slew of other security procedures and policies that need to be addressed under that law.

Next, what does a general organization do to implement a “reasonable” approach to cyber security when there are no definitive guidelines to follow? The determination is to ascertain if you have any privately stored data (this includes employee or customer social security numbers). If the answer is “no” then antiviral software and a password protected computer would be considered reasonable. If the answer is “yes” then where is the information stored?  If you use an online accounting/payroll system and you have no private information stored on your work or personal computer, then ask your online vendor how they protect your information and be sure to document it.

Where this gets tricky is for the companies that have private information stored in multiple locations (cloud and onsite systems) and on multiple computers. This will require a more detailed and defined approach including the establishment of policies and procedures, a cyber security program, audit program, third party risk assessments and cyber testing to name a few.

What will happen if the company does not comply with this law? First, there has to be a breach of information from your company or cloud provider. Let’s say that you or a staff member accidentally open an infected email and a hacker gains access to your accounting system that has all of your employee’s social security numbers. Over a year later all of your current and past employees are subject to fraudulently filed tax returns. The IRS investigates and finds the common denominator being your company. Lawsuits are filed and both federal and NYS investigators show up at your door. Under this law, if you cannot prove that your company maintained “reasonable” cyber security controls before and every year following the signing of this law, your company can be fined a minimum of $25,000 by New York State.

It is important to note that businesses must comply within 240 days of when Governor Cuomo signed the law, or March 21, 2020. How you get in compliance with the SHIELD Act is up to you as the owner or entity. However, if you fall in the category of a larger operation with stored private information contacting a company that specializes in IT auditing, testing and security would be a good starting point. If you would like more information or have any questions regarding the SHIELD Act, please do not hesitate to contact your Dermody, Burke & Brown advisor.

Christopher Hannan is the Director of IT and IT Auditor at Dermody, Burke & Brown.  He is an IT expert, with over 20 years’ experience in the electronic industry, and is the owner of Optimal Technologies, LLC. Christopher is experienced in Network Engineering, Design, Auditing, Forensic Analysis, Communications and Security. His certifications include Microsoft, CISCO, HP and IBM.

The information reflected in this article was current at the time of publication.  This article will not be modified or updated for any subsequent tax law changes, if any.