Is Your Business in Compliance with the SHIELD Act?
New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Act (the “SHIELD Act”), amending New York’s data breach laws (N.Y. Gen. Bus. Law § 899-aa) to address the growing cybersecurity risks faced by businesses, employees and consumers. The SHIELD Act now requires businesses and employers collecting private information of New York residents, regardless of the location of the businesses, to adopt reasonable security measures to combat data breaches, expands the circumstances qualifying as a security breach and greatly broadens the scope of the information covered by the law. The data security program regulations took effect on March 21, 2020.
With the novel coronavirus requiring businesses and employers to rely more heavily on technology to operate remotely, the risk of cybersecurity breaches has increased dramatically. It is critical that businesses and employers in New York and elsewhere carefully review the new provisions under the SHIELD Act and bring their practices into compliance to avoid enforcement action by the New York State Attorney General and the possibility of significant fines.
The Data Security Program Requirement
As of March 21, 2020, “any person or business” that owns or licenses computerized data, including personal and private information of New York residents, must implement a “data security program” to protect this information. The data security program must include the following safeguards:
(1) Reasonable administrative safeguards in which the person or business:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances.
(2) Reasonable technical safeguards in which the person or business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission, and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures.
(3) Reasonable physical safeguards in which the person or business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time, after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Exceptions to the Rule
A business will be considered a “compliant regulated entity” and excepted from the data security program requirement if it is in compliance with the data security requirements under Title V of the Gramm-Leach-Bliley Act, HIPAA and the Health Information Technology for Economic and Clinical Health Act and other data security laws and regulations of the federal and New York State governments.
Further, while the SHIELD Act does not exclude small businesses from the data security program requirement, if a business qualifies as a “small business” under the SHIELD Act, that business can adjust its data security program to accommodate the size and complexity of the business, the nature and scope of the business’s activities, and the sensitivity of the personal information collected.
Finally, the notification requirement does not apply to an inadvertent breach by a person otherwise authorized to access the private information, if the exposure does not result in financial or emotional harm to the affected individuals.
Expansion of Covered Information
New York’s data breach law previously protected “personal information,” which is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person” and also “private information.”
“Private information” previously included only social security numbers, driver’s license or identification card numbers, financial account numbers or credit/debit card numbers in combination with any required security code, access code or password that would permit access to the individual’s financial account. Pursuant to the SHIELD Act, private information now includes an “account number, credit or debit card number. . . [that] could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or biometric information . . . such as a fingerprint, voiceprint, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”
Expansion of What Qualifies as a Breach
The SHIELD Act also expands the circumstances that would constitute a “breach of the security system,” thereby triggering notification requirements, which have also been amended. The updates to the breach notification law took effect in October of 2019. A breach of the security system now includes any unauthorized access to or acquisition of protected information. Unauthorized access includes instances where the information was “viewed, communicated with, used, or altered” by an unauthorized person.
Timely notification of any actual or suspected breach is essential, not only for the protection of impacted individuals but also to assist law enforcement in pursuing wrongdoers.
Takeaways for Businesses and Employers
In the midst of the coronavirus crisis, the number of reported phishing scams has greatly increased. Therefore, employers and businesses need to be vigilant to detect data breaches. They must also be informed to determine whether the SHIELD Act applies to them in order to ensure compliance and avoid future violations.
The SHIELD Act’s broad definition of private information, coupled with the imposition of obligations on “any person or business” that owns or licenses computerized data on New York residents, applies to nearly all businesses in New York, as well as to out of state businesses with a presence in New York, that collect the covered information. All businesses and employers that are not excepted should make every reasonable effort to ensure that they maintain data security programs that use the required safeguards. Compliance is not only mandatory, but it also provides a robust safeguard against unlawful theft of confidential and proprietary information at a time when most businesses, employees and affected individuals are most vulnerable.
While there is no private right of action under the SHIELD Act, the SHIELD Act is enforced by the New York State Attorney General and any violations may result in injunctive relief and civil penalties. Violation of the notification requirements can even result in civil penalties equaling the greater of $5,000, or $20 per instance of failed notification.
It is recommended that businesses and employers:
- Conduct a thorough review of all current data protection policies to determine compliance with the updated New York State breach notification law, as well as other data privacy regulations.
- Develop adequate controls and protocols to address data privacy risk.
- Expand training programs and real-time monitoring of actual and potential data privacy issues.
- Remain up to date regarding all developments in New York State laws pertaining to the NY Data Privacy Act, with careful consideration of any changes that may be required as the result of continuing legislation.
If you have any questions about the SHIELD Act or your compliance with this law, please contact Kleinberg Kaplan.