Stay Compliant with the New York SHIELD Act
Bruce Dorris, the President and CEO of the Association of Certified Fraud Examiners (ACFE) is calling the coronavirus pandemic a “perfect storm for fraud.” An ACFE survey following the 2008 financial crisis found 80% of those surveyed believed fraud increases in times of economic stress. Even before the coronavirus pandemic triggered the recession, companies were facing severe data breaches.
Not only can a data breach put employees’ and clients’ personal information at risk, but they’re also extremely costly. A 2019 IMB study found on average, the cost of a data breach has increased by 12% over the past 5 years to $3.92 million per incident. And yet, because of the recession, many businesses are reducing their data security budgets, while others are realizing business process outsourcing could both reduce costs and increase data security.
What Is the SHIELD Act?
Seeing the rising risk of data breaches, New York’s governor signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act in July 2019 to protect the personally identifiable information (PII) of those living in New York. To accomplish this, the law broadens the requirements of companies to notify New York residents if there is a security breach as well as their safeguards to protect PII, “personally identifiable information.”
What Type of Information Does the Law Protect?
The “private information” the law is designed to protect includes Social Security numbers, driver’s license numbers, credit or debit card numbers, financial account numbers, biometric information, usernames, and any email addresses that have a password that could be used to access an account.
How to Tell If the SHIELD Act Impacts Your Business
With the full law going into effect in March 2020, the law impacts not only companies located in New York, but any businesses who hold the “private information” of anyone living in New York, including both employees and customers. This is why it’s critical business leaders and HR professionals understand the importance of complying with this law.
How to Comply with the SHIELD Act
Companies must “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.” The law doesn’t have a specific mandate, but instead requires companies to have a “data security program,” with stipulations outlined in the SHIELD Act, including:
- Having a point person in charge of the data security program
- Training employees to comply with program practices and procedures
- Analyzing internal and external security risks and how to limit them
- Destroying private information that is no longer needed
- Ensuring outsourced service providers safeguard information
If you are concerned about the added burden and intricacies of SHIELD Act compliance, partnering with a business process outsourcing provider with a current SOC 2 Type 2 Report could help as they already have secure processes in place that help you meet compliance guidelines.
What Should You Look For In a Business Process Outsourcing Provider?
IBM’s 2019 Data Breach Report found the misconfiguration of cloud servers accounted for 43% of the 990 million records that were exposed and lost in 2018. This is why it’s so important that not only your systems are updated frequently to prevent a data breach, but that your business process outsourcing provider offers services and software to help your organization meet SHIELD Act, HIPAA, and other compliance requirements.
The best business process outsourcing (BPO) company will have third-party certified protocols and systems in place to protect private information contained in the business documents and data being processed in their facilities. They will also offer document management software that has the functionality to help ensure document and data security while being stored, accessed and tracked in the cloud or inside your organization.
How Does MetaSource Help Companies Comply with the SHIELD Act?
With the growing risk of data breaches and the ever-changing forms of fraud, the process of SOC 2 Type 2 certification has become more difficult every year. Even so, MetaSource has successfully received certification after going through the rigorous SOC 2 Type 2 audit, which means a third party auditor annually confirms that MetaSource has put in place processes that meet difficult criteria across three trust principles: security, confidentiality, and availability.
And MetaSource’s document management software allows you to define user rights and administrative settings to help ensure information security once all of your documents are scanned and digitally archived. This document-level security, including who has access to a document, what they can do with that document, and a clear record of anyone who has accessed a document, are critical in cases of fraud or if a company needs to prove who has seen the private information in the case of an audit. Additionally, this reliable cloud service is hosted in redundant SOC 2 (service organization controls) audited data centers in order to provide you with a superior level of security.
Working with a SOC 2 Type 2 partner makes it easy to prove you are following the SHIELD Act mandate, requiring outsourced service providers to safeguard personally identifiable information (PPI).
If you’d like to learn more about working with MetaSource, please contact us at
(888) 634-7684. Or you can read our ebook Why Is BPO Important for Companies Now More Than Ever?
Note: This was not written by legal experts. Please advise a lawyer for specifics on how to follow the law.