Is Your Business Ready for the SHIELD Act?
srost • August 30, 2022

In 2019, New York State Governor Andrew Cuomo, signed the Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act. The Act went into effect on March 21, 2020.


The SHIELD Act is a required guideline set by NYS to further protect the identity and security of NYS individuals’ private information, whether your company resides in NYS or does any business with New York residents.


“Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data."


Private information includes social security numbers, driver's license numbers, account numbers, credit/debit card numbers, fingerprints, retina images (ex: face ID for smartphones), usernames/emails/passwords, and more. The goal of this act is to help further protect against identity theft.


To reach guidelines stated in the SHIELD Act, NYS requires every business to have reasonable security measures in place.  Businesses will be in compliance with the SHIELD Act if the proper security measures are set in place. Security measures as defined by this new law are:


  1. Designates one or more employees to coordinate the security program
  2. Identifies reasonably foreseeable internal and external risks
  3. Assesses the sufficiency of safeguards in place to control the identified risks
  4. Trains and manages employees in the security program practices and procedures
  5. Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
  6. Adjusts the security program in light of business changes or new circumstances


Your business will also be in compliance if you currently meet the requirements of:


  1. Title V of the Federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809)
  2. Regulations implementing the health insurance portability and accountability act of 1996 (45 C.F.R. Parts 160 and 164)
  3. Part Five Hundred of Title Twenty-Three of the official compilation of codes, rules and regulations of the state of New York (Cybersecurity Requirements for Financial Services Companies)
  4. Any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission or agency or by the Federal or New York state courts.


Any breach in security is now required to be reported directly to the New York State resident whose information allegedly was stolen. Failure to comply with the SHIELD Act will result in a fine from the New York State attorney general.


Read the official SHIELD Act text here.


ACC is dedicated to assisting our clients with their compliance requirements, including initial steps as well as ongoing efforts while needs change.


Contact us here to start a discussion and request a compliance audit.

ACC Technical Services celebrates 30+ years

By srost September 9, 2022
Your partner in personalized IT solutions for 30+ years.

What is smishing and how do you protect yourself?

By srost August 10, 2022
In the growing list of ways threat actors are trying to access and steal data and information, we want to take a minute to talk about attacks that happen on a device most of us carry around all day. Cell phones are increasingly targeted for phishing attacks via SMS (text messaging), also known as "smishing." Why? First of all, we’ve come to trust our smartphones as the device that solves a lot of our problems, like googling an actor we can’t remember the name of, or like replying to an email while on the go. By targeting a device we trust (whether subconsciously or not), the attacks are often more successful because we let our guard down. Secondly, because they’ve become almost as unique and valuable as social security numbers, cell phone numbers are highly sought after info in a data breach. The attacks happen for different reasons and use different techniques. The following is a list of just a few examples methods and contexts they come in: Unsolicited text messages from banks, service providers, and superiors. Most play upon some sense of fear, such as account cancellation, someone stealing money from your bank, being accused of a crime or wrongdoing, or harm to your family. Often, they will impose a sense of urgency to illicit a response. They will request that you text back or go to a link to fix or activate something. Anyone with an email address can send you a text message. All mobile providers have an email-to-text conversion address. There are many web/app-based free text messaging services that require no verification of identity to use. SMS is a major form of 2-factor authentication for applications; therefore, it’s a target. So, how do they obtain your mobile number? There are quite a few ways that you might not even think of because they’re so engrained in our everyday lives. 1. Many rewards programs utilize your cell phone number as your identity. Retailers with brick-and-mortar stores will ask for your phone number when you check out, and anyone nearby can hear it. 2. Most businesspeople list their cell phone number on their business cards, email signatures, and presentations they give. 3. We use our cell phone number at many publicly accessible locations, such as pizza shops, restaurants, doctors’ offices, hairdressers, and grocery stores. What can you do to protect yourself? Generally, you should avoid interacting with the message’s content or sender, but here are some specific actions. Do not rush to action; take your time evaluating a text. Do not reply to any texts that are unsolicited. Do not click on links from unsolicited texts. Report the suspicious number to your cell phone provider. Delete the message to avoid inadvertent responses. It's important to make sure your colleagues are educated about these risks and the protective measures they can take. We suggest sending this post to them or setting up a seminar in your office with ACC's cybersecurity experts.

Three Ways to Help Keep Your Network Secure

By srost June 8, 2022
Part of an IT professional’s job is to ensure their company’s network is secure, helping to prevent attacks that lead to downtime, lost/stolen data, and severe frustrations from end users and management. Many times, the biggest threat to the carefully chosen layers of security is the end users themselves. They click on unfamiliar links, visit sketchy websites, or give credentials and information out to the wrong person, among other things. But we can’t place all of the blame on them; old habits die hard, and technology constantly changes. We have to continuously educate end users and ourselves on best practices and make sure they’re building good habits when it comes to technology use. There are multiple steps in creating and maintaining a secure network, but here are three of them. 1. ALWAYS VERIFY SOMEONE’S IDENTITY BEFORE GIVING OUT INFORMATION Social engineering attacks have always been the easiest way to obtain credentials and sensitive information. Why take the time to hack a system when you can pretend to be a vendor or someone else and get the info gift-wrapped to you by an end user? Calling and pretending to be a representative from a vendor, even a big name like Microsoft, is a popular strategy. If an end-user has never talked to this caller and has the slightest doubt if they’re really from the company, no information should be given. If it’s a vendor your company does business with regularly, hang up, call the main point of contact there, and ask for verification. Taking the time to do this can save headaches down the road. The same thing applies to spoofed emails that appear to come from a coworker. Requests for passwords, money distribution, or any sensitive information should always follow a multi-step verification process. Options include a verbal confirmation or signed form for the request. The bottom line is that legitimate companies will never ask for an end user’s password or other sensitive info over the phone. When in doubt, verify! 2. BE WARY OF URLS/LINKS THAT LOOK ODD Links to webpages are everywhere, including in emails, in text or ads within a webpage, in text messages, in apps, and in other places. We’ve been clicking on those links since AOL told us we had mail in the 90s, but that was over 20 years ago, and our behavior needs to change with the times. Today’s headlines and titles are meticulously crafted by clever marketers to entice people to click (we may or may not have intentionally written our post title this way…). Often, this is to increase views and website traffic with the intention of gaining new business. Sometimes, it’s done with malicious intent. People will click on links and unknowingly visit web pages that contain malware, ransomware, and all sorts of mayhem if they don’t exercise caution. Here are a few ways to spot sketchy links: The grammar and spelling of the surrounding text are poor or beyond comprehension. Letters are replaced with similar characters, such as 0 for o in google.com (g00gle.com) It’s in a message from someone you know, but the wording is very unlike that person. The top-level domain is something besides the more common .com, .org, or .gov. Examples include .ru, .download, .xyz, and .science. Shortened links (bit.ly, ow.ly, etc.) on web pages, in emails, or even on unfamiliar social media posts. Of course, a sure-fire method is to just not click on it. 3. ADD AND MANAGE LAYERS OF NETWORK SECURITY It’s not all up to the end users. The IT department/professional is responsible for putting layers of security in place as a multi-directional defense (to keep threat actors from reaching in and internal staff from allowing them in). Depending on the business type, applications, and data needs, among other things, the network security components needed will vary. Businesses in the healthcare, financial, and human resources sectors typically have higher cybersecurity compliance requirements because of the sensitive data they acquire and store. In addition to creating a strong network defense, IT professionals must keep informed on changing technologies, new threats, and the best ways to mitigate risks for the business. Businesses also utilize outside IT firms for various reasons, including larger projects, consultation, and additional helpdesk support. It’s important that outside firms are vetted and questioned about the solutions they recommend. They should always be able to back up their recommendations with solid reasons that tie back to the business, especially when the business’ network security and data are at stake. IN THE END… Education and prevention are key steps to protecting your business’ network from intruders who aren’t allowed access. If you’re at all unsure about the security of your network, contact us .
More Posts
Share by: