A wave of consumer privacy legislation is sweeping the U.S., leaving many auto dealerships uncertain about compliance and concerned about potential impacts on business. One such law is New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which passed in July 2019. When the law takes effect in March 2020, businesses will be subject to fines and lawsuits if they fail to comply.
Are you subject to SHIELD?
If your business owns or licenses any computerized data containing private information of New York State residents, regardless of where your business is located, you must comply with the SHIELD Act.
Even if your business doesn’t currently own any applicable data, you should be prepared for compliance. Regulations are constantly evolving, and it pays to stay ahead of the curve when it comes to consumer privacy law.
How can you know if your dealership is ready?
In order to prepare for the SHIELD Act, you first need to understand how it changes existing law. It does so in three key ways:
- Expands breach notification requirements to include unauthorized data access, not just unauthorized data acquisition
- Expands the definition of “private information” to include, under certain circumstances: account numbers, credit or debit card numbers, biometric information data such as fingerprint(s) or facial recognition, usernames, and email addresses
- Extends the period of time in which the attorney general may take action against a business
These breach notification changes take effect sooner than the rest of the Act, on October 23, 2019. Employees need to be educated on these amendments and how they will affect procedures and policies at your dealership.
Additionally, businesses subject to the law must do the following by March 21, 2020 in order to comply with the SHIELD Act:
- Designate an employee to coordinate the security program
- Identify foreseeable internal and external risks
- Assess the sufficiency of safeguards in place to control identified risks
- Train employees on security
- Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract
- Adjust the security program in light of business changes or new circumstances
Experts agree that at a minimum, all organizations should subscribe to the 20 controls listed by the Center for Internet Security in their Critical Security Controls best practices document in order to prevent breaches. To determine preparedness, businesses should work with their IT services provider to check their cybersecurity controls against this list.
What should you do to prepare?
If your business is subject to the SHIELD Act, you should start preparing immediately. Get started with our 5 Tips to Make Your Dealership SHIELD Act Compliant.