Effective March 21, 2020, the New York SHIELD Act imposes data security requirements on most businesses that own or license computerized data that includes the “private information” (defined below) of New York residents. In sum, such businesses must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information. Many businesses likely already comply with the these requirements, but statutes like the SHIELD Act provide a good reminder to review your data security program and confirm that you have everything squared away.
The SHIELD Act requires that businesses develop, implement, and maintain the following safeguards, at a minimum:
- Reasonable Administrative Safeguards: Such safeguards should include the following: (1) designate one or more employees to coordinate the security program; (2) identify reasonably foreseeable internal and external risks; (3) assess the sufficiency of safeguards in place to control the identified risks; (4) train and manage employees in the practices and procedures of the security program; (5) select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and (6) adjust the security program in light of business changes or new circumstances.
- Reasonable Technical Safeguards: Such safeguards should include the following: (1) assess risks in network and software design; (2) assess risks in information processing, transmission, and storage; (3) detect, prevent, and respond to attacks or system failures; and (4) regularly test and monitor the effectiveness of key controls, systems, and procedures.
- Reasonable Physical Safeguards: Such safeguards should include the following: (1) assess risks of information storage and disposal; (2) detect, prevent, and respond to intrusions; (3) protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and (4) dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
“Private information” includes (1) Social Security numbers; (2) driver’s license numbers; (3) biometric information; (4) account numbers or credit or debit card numbers if they can be used to access an individual’s financial account; (5) account numbers or credit or debit card numbers in combination with security codes, access codes, or passwords that permit access to an individual’s financial account; and (6) usernames or email addresses in combination with a password or security question and answer that would permit access to an online account.
Businesses that follow the data security requirements in HIPAA, GLBA, the New York Department of Financial Services Cybersecurity Regulation, or any other New York statute or rule are not required to comply with the Act. A “small business” with fewer than 50 employees, less than $3 million in gross annual revenue, or less than $5 million in total assets, may also scale down its compliance program.
Breach Notification: Effective October 23, 2019, the SHIELD Act also made a number of edits to the New York data breach notification statute. Those edits included expanding the definition of “private information” to include biometric information and account credentials (following a trend we have seen with other states), prescribing additional content requirements for the individual and regulator notices, increasing the penalty caps to $20 per instance of failed notification (i.e., $20 per individual) up to $250,000, and extending the statute of limitations for regulator actions from two to three years. The statute does not expressly create a private right of action.