Home » Security Bloggers Network » NY SHIELD Act: Security awareness and training requirements for New York businesses

NY SHIELD Act: Security awareness and training requirements for New York businesses

by Susan Morrow on September 21, 2020

Introduction

The world of data protection and privacy regulations has brought us many laws and acts. The most commonly cited are the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The wide remit of these regulations has increased general awareness of data security issues. These regulations have also created stringent requirements that companies the world over must abide by.

One such regulation is the NY SHIELD Act. The latest update to the act includes important changes in what constitutes a data breach. Importantly, the Act also sets out a series of safeguards, including security awareness training, that can help protect private information.

The security measures inherent in data protection regulations offer important guidelines. These security measures are not just about avoiding fines and sanctions, but they can be used to prevent data breaches that have a wide-reaching impact on a business. With 15.1 billion data records breached in 2019, conforming to a regulation such as the NY SHIELD Act has never been more important.

What is the NY SHIELD Act?

The updated New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act came into force on March 21, 2020, in the middle of the COVID-19 pandemic. The updated Act, with an original effective date of October 23, 2019, sets out new measures around data security requirements.

Sponsorships Available

The New York SHIELD Act applies if an organization processes the private data of New York residents (both customers and employees). The NY SHIELD Act requires measures to be taken to protect the security, confidentiality, and integrity of these data.

The NY SHIELD Act defines personal information as something such as a name or some other identifier. Private information is personal information PLUS various data elements if those elements are not encrypted. This includes: