The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a New York state law that increases the protection of personal information by enforcing changes to data management and security policies. Many auto and truck dealerships both inside and outside New York State will need to update their IT systems and policies in order to comply, so it’s important to understand the requirements set by the law.
When does the SHIELD Act go into effect?
There are two key dates, each corresponding to a component of the SHIELD Act:
- Amendments to breach notification policy take effect on October 23, 2019,
- The “reasonable safeguards” requirements for data security go into effect on March 21, 2020.
Under the SHIELD Act, the definition of “private information” is expanding to cover, under certain circumstances: account numbers, credit or debit card numbers, biometric information data such as fingerprint(s) or facial recognition, usernames, and email addresses. Breach notification will also be required in cases of unauthorized data access, not just unauthorized data acquisition. These changes go into effect on October 23, 2019.
Dealerships should implement key security controls and data management policies by the March 2020 deadline to comply with the reasonable safeguards requirement.
Who does the SHIELD Act apply to?
Any business that owns or licenses computerized data containing private information of New York State residents must comply with the SHIELD Act, regardless of whether that business operates within New York.
Auto and truck dealerships are prime targets for SHIELD Act enforcement because they collect, store, and transmit customer data (in the form of lease agreements, credit checks, autopay authorizations, etc.) on a daily basis.
What should auto and truck dealerships do to prepare?
To comply with the SHIELD Act, dealerships must develop, implement, and maintain “reasonable safeguards” to protect the security of private consumer information. The SHIELD Act outlines several reasonable safeguards that are necessary for compliance, but dealerships should also follow the CIS 20 Controls, a list of best practices established by The Center for Internet Security (CIS).
Dealerships need to assess their current security posture and update policies as necessary. This process will look slightly different for each dealership, but here is a brief list of essential steps:
- Examine both the SHIELD Act’s reasonable safeguards and the CIS cybersecurity controls, identify which you currently follow, and which you’ll need to implement
- Identify the ways your dealership collects consumer information and how this data is managed
- Work with your IT service provider to assess your systems
- Work with your IT service provider to develop new policies and procedures
- Plan necessary changes to your website to comply with the law
- Inform employees about changes in policies and how they should relay this information to customers
- Develop a checklist to keep track of all the important steps of this process
When should you start preparing for SHIELD?
Breach notification requirements and the definition of private information are both changing on October 23, 2019. Dealerships need to ensure that all employees understand these updates (and any accompanying changes in procedure) by this date.
Dealerships also need to have their reasonable safeguards in place in March 2020, so it’s essential to start planning compliance as soon as possible.
The process of updating IT systems for regulatory compliance can be extremely complex, and requires careful planning. Waiting too long could result in costly mistakes, logistical issues, and having to spend more money in order to get compliant on a tighter schedule. Additionally, scrambling at the last minute causes more stress for dealership owners, employees, and consumers alike. The best time to start is right now.
When should you engage with a specialized IT vendor?
Complying with the SHIELD Act requires the right kind of expertise. Managed IT services providers work on many of these projects, so they understand the complexities of compliance and have the comprehensive knowledge and experience to get the job done efficiently. If you haven’t done so already, consider engaging with an IT service provider as soon as possible.
An IT service provider can assess your current systems, outline the scope of the compliance project, give you an idea of the specific updates you’ll need to implement, and develop an overall strategy to ensure your dealership is ready by the SHIELD Act’s effective dates. Consulting a service provider will also generate long-term benefits for your business by optimizing other IT processes.
When choosing a managed IT services provider, make sure you choose one that specializes in, or is at least intimately familiar with, auto and truck dealer IT. Generalist providers won’t necessarily know what you need, while a specialized service provider will know exactly how to help you maintain compliance and streamline your IT process in a way that makes sense for your dealership in the long run.