With massive breaches hitting the headlines, various states are rushing to ensure that their businesses are kept secure. New York passed one such legislation in July 2019 called the Stop Hacks and Improve Electronic Data Security Act or the SHIELD Act. It's New York’s way of enforcing guidelines and obligations for business owners.
The Act’s wording is simple, anyone doing business in the State of New York must comply with the state’s rules and implement the proper safeguards on private data. This applies to ANY business that does work in the state if they handle private information (PI). In this case, the information would include Social Security Numbers, credit card numbers, bio metrics and emails.
The Act puts the responsibility on the people that controls this PI, i.e. HR and accounting. The SHIELD Act requires employers in possession of New York residents' private information to "develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information." Some key elements with relevance to HR stakeholders include the following:
- Designating an employee or employees to coordinate the data security program.
- Training and managing employees in the security program practices and procedures.
- Assessing internal and external risks and implementing controls to reduce those risks.
- Vetting service providers and binding them contractually to safeguard private information.
- Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.[1]
As more states implement legislation to protect their citizens data, everyone should take precautions for their cyber security. Consult your HR and your officers about how to best to protect your employee data.
[1] https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-updates/pages/new-york-shield-act.aspx