On March 21, 2020, New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect, amending New York’s data breach notification law and imposing new data security obligations regarding protection of New York residents’ private information.
Businesses and Private Information Covered by the SHIELD Act
The SHIELD Act has broad applicability to businesses within and outside of New York. The Act applies to any organization or individual (“business”), regardless of size or location, that owns or licenses computerized private information of New York State Residents (“private information”). This includes businesses and employers that are located outside of New York, regardless of whether they conduct business within New York State.
The definition of “Private Information” is largely is consistent with categories covered by New York Department of Financial Services (DFS) Cybersecurity Regulations. These include individually identifiable information such as name or identifying number in combination with Social Security number, driver’s license number, non-driver identification number, credit or debit card number (with or without pass code, if still accessible), financial account number (with or without pass code, if still accessible), or biometric information. The Act also includes as Private Information a username or email address with the password and corresponding information that allows access.
Businesses that are already complying with the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), or the New York DFS Cybersecurity Regulations are presumed to be in compliance with the NY SHIELD Act.
Obligations Imposed by the SHIELD Act
Data Security Program
Businesses subject to the SHIELD Act are required to develop and implement a data security program with reasonable safeguards to “protect the security, confidentiality and integrity of the private information” taking into consideration the size and complexity of the business. Safeguards should be further tailored considering the value of Personal Information and the coinciding risks. Reasonable safeguards include administrative, physical, and technical elements such as:
- Developing policies and procedures addressing commitments to Personal Information security, as well as operational requirements, throughout the data lifecycle (through disposal);
- Training employees and designating representatives to administer the data security program;
- Assessing service provider data security programs, as well as reviewing data security provisions in third-party contracts;
- Reviewing, on a defined periodic basis, the technical safeguards in place to prevent unauthorized access to systems and private information and remediating any identified vulnerabilities;
- Implementing a plan for regular review, testing and updating of data security and privacy policies, procedures and systems processing “private information”.
A good starting point is to conduct an assessment of current safeguards, with a focus on reasonably foreseeable risks associated with policies and procedures, systems, networks and physical safeguards.
Data Breach Notification Obligations
The SHIELD Act has broadened the definition of a breach from “unauthorized acquisition” to “unauthorized access” of computerized private information that could “compromise the security, confidentiality, or integrity of private information maintained by the business”. Practically, this means that something as simple as unauthorized access to private information must be evaluated to determine whether that access poses a risk to the information and the individuals with whom it is associated. Where it is “reasonably believed” that private information was accessed by an unauthorized party in a manner that could compromise that information, the business must notify affected parties without delay. To determine whether there was unauthorized access or acquisition, the regulation provides a list of factors to consider, including indications that the information was viewed, used for communications with individuals, used, downloaded, copied or altered by a person without valid authorization or by an unauthorized person. Businesses must also consider whether the loss or disappearance of devices containing private information would enable unauthorized access that could compromise that information.
Notification is not required where the private information was inadvertently shared by an authorized person and the business can reasonably determine, and appropriately document, that such sharing of information will not result in harm to the affected NY resident(s).
Violations of the SHIELD Act
The New York Attorney General may impose civil penalties on a business that fails to implement a compliant data security program or mishandles a data breach. Violations can result in civil penalties up to $5,000 per violation, with a cap of $250,000 for violation of breach notification requirements. The SHIELD Act does not provide a private right of action.
If you have any questions about the SHEILD Act, please contact us.