In the wake of all the news, you may have lost sight of the increased data security and privacy requirements that will soon be imposed on New York businesses, including nonprofit organizations. As of March 21, 2020 any New York business or person that owns or licenses “private information” (defined below) will be subject to the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”).
Likely the most significant aspect of the SHIELD Act for many nonprofit organizations is the requirement that they adopt reasonable administrative, technical and physical safeguards to protect the security, confidentiality, and integrity of private information. Some reasonable safeguards might include risk assessments, employee training and timely data disposal.
The law allows a different standard of reasonableness for small businesses, which are defined as businesses with 50 or fewer employees and under $3 million in gross revenues or businesses with under $5 million in assets. Small businesses will be required to implement reasonable safeguards appropriate to the size and complexity of the business.
Under the new law, a “breach” of an organization’s security system now includes unauthorized “access” of computerized data that compromises the security, confidentiality, or integrity of private information. Previously, a breach under New York’s data security laws was defined only as unauthorized acquisition of computerized data.
Every employer with employees in New York must comply with the SHIELD Act because “private information” includes an individual’s name and Social Security number. In addition, the SHIELD Act defines “private information” to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.
WHAT SHOULD YOU DO NOW?
- Gain an understanding of your organization’s current data safeguards.
- Assess, most likely with the help of an IT professional, whether your current safeguards are sufficient to meet the requirements of the new law.
- Create documentation to show those steps your organization has taken to safeguard data.
- Make a plan for addressing a data breach.