On July 25, 2019, Governor Andrew Cuomo signed into the “Stop Hacks and Improve Electronic Data Security” (“SHIELD”) Act, which amends New York’s 2005 Information Security Breach and Notification Act. The SHIELD Act significantly strengthens New York’s data security laws by requiring companies to implement safeguards for the “private information” of New York residents and broadening New York’s security breach notification requirements. The SHIELD Act became fully enforceable in March 2020. However, since the enactment of the SHIELD Act, law makers took a closer look at New York’s privacy laws and discovered several inefficiencies. Thus, New York has amended the SHIELD Act and those amendments will be discussed below.
What is New York’s SHIELD Act?
New York’s SHIELD Act requires all businesses with employees in New York to implement and maintain reasonable security measures to protect the security, confidentiality and integrity of “private information” of New York residents. Under New York’s 2005 Information Security Breach and Notification Act, “private information” was defined as any information concerning a natural person in combination with any one or more of the following elements: social security number, driver’s license number, account number, or credit or debit card number in combination with any required security code. The SHIELD Act now expands the definition of “private information” to include biometric information, account numbers, credit/debit card numbers, and username/email addresses in combination with passwords or security questions and answers.
What Types of Security Breaches are Covered by the SHIELD Act?
Under the 2005 Information Security Breach and Notification Act, a security breach was defined as an unauthorized acquisition of computerized data which comprises the security, confidentiality or integrity of private information. The SHIELD Act now expands the definition of “data breach” to include any unauthorized “access” to computerized data that compromises the confidentiality, security, or integrity of private data, and it provides sample indicators of access.
What is the Territorial Scope of the SHIELD Act?
Previously, the law was limited to only those companies that conducted business in New York. The SHIELD Act applies to every employer with employees in New York and now expands the territorial protection of the breach notification requirement to any person or company that owns or licenses private information of a New York resident.
What are the SHIELD Act’s Data Security Requirements?
While the SHIELD Act does not mandate specific safeguards, it does provide many examples of best practices that would be considered reasonable administrative, technical, and physical safeguards. Some of these safeguards may include:
designating individuals or teams responsible for security programs;
ensuring a risk assessment process is in place that can identify reasonably foreseeable external and internal risks and implementing controls to reduce those risks;
training and managing employees in the security program procedures and practices;
vetting service providers and binding them contractually to safeguard all private information;
maintaining and practicing disaster recovery and business continuity plans; and
securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.
The SHIELD Act encourages employers to implement physical safeguards to protect their organization’s electronic information systems. Some physical safeguards may include:
preventing, detecting, and responding to intrusions;
protecting against unauthorized use or access to private information; and
assessing risks of information storage and disposal of confidential information.
Employers should also implement reasonable technical safeguards to protect all private information. Some technical safeguards include:
ensuring that regular assessments of network and software design risks are tested;
assessing risks in information processing, transmission and storage;
using mutli-factor authorization and deploying encryption and data loss prevention tools;
detecting, preventing and responding to data attacks or system failures; and
regular testing and monitoring of the effectiveness of key controls, systems and procedures.
What are the Breach Notification Requirements?
The SHIELD Act requires that in the event of a private information breach, the person or business must notify the affected consumers and/or employees following the discovery of the breach. The disclosure must be made as quickly as possible consistent with the legitimate needs of law enforcement agencies. While the law requires notice to the Attorney General’s office, New York Department of State and the New York State Police of the timing, content and distribution of the breaches and approximate number of affected persons, submission of a breach form through the NYAG data breach reporting portal is sufficient as its automatically sent to all three entities.
What are the Penalties if you Fail to Comply with the SHIELD Act?
If your business fails to implement a compliant information security program, it may result in injunctive relief and civil penalties of up to $5,000 per violation.
If a data breach does occur and involves the private information of more than 500 New York residents, you must provide a written notice to the Attorney General within 10 days after the determination. A business’s failure to comply with this breach notification requirement can result in being held liable for the actual costs or losses incurred by a person entitled to notice. Additionally, for failure to provide timely notification, the court may impose a civil penalty of up to $20 per instance of failed notification not to exceed $250,000.