Recent years have seen a dramatic increase in the frequency and sophistication of cyberattacks — and a growing awareness of the vital importance of data security and data privacy. Many governments are passing legislation to address these issues. Two of the best well known are the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) and its extension, the California Privacy Rights Act (CPRA).
Another significant piece of legislation is New York’s Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act). It applies to every organization that stores the personal information of any New York resident, even if it is based outside of New York state.
Read on to learn more about the NY SHIELD Act and how to comply with it.
What is the New York SHIELD Act?
New York’s SHIELD Act was signed into law on July 25, 2019, and became partially effective on October 23, 2019. It amends the state’s previous data breach notification law, the New York State Information and Security Breach and Notification Act, which required organizations to protect the private information of New York residents and disclose any breach of that data to the affected people.
What are the key changes in the New York SHIELD Act?
Some of the key updates that the SHIELD Act makes to the earlier law include:
- It broadens the definitions of “private information” and “data breach”.
- It updates the notification procedures that companies and state entities must follow.
- It requires organizations to develop, implement and maintain administrative, technical and physical safeguards to protect the data of New York residents.
Let’s dive into these and other important changes.
Expansion of the definition of private data
The NY SHIELD Act expanded the scope of private data that companies need to protect to include “private information.” Note that private information does not include data lawfully made available to the public via federal, state or local records.
There are three types of private information:
- Type I — A piece of personal information in combination with one or more of the following “data elements”:
- Biometric information like fingerprints or retina scans
- A combination of usernames, passwords, and security questions and answers that can be leveraged to access a person’s online account
- Credit card numbers (even without the security code) that can be used to access a person’s bank account
In addition, the data elements or their combination with personal information must be either not encrypted or encrypted with an encryption key that has been compromised.
- Type II — This type of private information consists of a username or email address in combination with a corresponding security question and answer or password.
- Type III — This is any health information as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that is held by a HIPAA-covered entity.
Expansion of the definition of a data breach
The earlier NYS Information and Security Breach and Notification Act defined a breach as the unauthorized acquisition of private information.
In contrast, the SHIELD Act defines the term “breach” more broadly by including unauthorized access to private information. The definition of “access” includes viewing, downloading and copying private information.
Expansion of the range of organizations the law applies to
Previously, the laws around data security only applied to entities that were conducting business in New York state. But the NY SHIELD Act applies to any entity in possession of a NY resident’s private information, regardless of the organization’s location.
In particular, since private information includes an individual’s name and Social Security number, all organizations with employees who are New York residents must comply with the New York SHIELD Act.
New requirement for “reasonable safeguards”
Similar to California’s CCPA, the SHIELD Act requires any organization that licenses or owns the personal information of a NY state resident to put in place “reasonable safeguards” to prevent a breach of that sensitive data. Specifically, organizations must do the following:
- Dedicate one or more employees to carry out the implementation of a security program.
- Implement a security training program.
- Regularly assess and monitor key controls, such as management of access to Active Directory.
- Implement reasonable retention policies that dispose of private information in a timely fashion.
Organizations can tailor their security programs based on the size of the organization, the nature of their business and the sensitivity of the private information they store.
Expansion of exemptions to notification requirements
Under SHIELD, organizations don’t need to notify New York residents about a breach of their data if:
- The breach was caused inadvertently by an individual who is authorized to access the private information, and the exposure does not result in financial or emotional harm to the individuals whose data was breached
- The organization has already notified them of the same breach under a different breach notification regulation, such as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, HIPAA or the Gramm-Leach-Bliley Act (GLBA).
Extension of the violation action period
Previously, the NY State Attorney General had to bring an action against a company within the first two years of the violation. The New York SHIELD law extends this to three years.
How does the SHIELD ACT impact my organization?
Implementing safeguards
To comply with the NY SHIELD Act, organizations that possess the private information of a New York resident must “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
While the NY SHIELD Act 2020 does not specify the type of safeguards organizations should implement, it states that an organization will only be deemed to be in compliance if it implements a data security program that covers all of the elements described in the SHIELD Act.
Reporting incidents
The law requires that incidents involving the private information of over 500 New York residents be submitted to the New York attorney general within 10 days of that determination. Therefore, organizations need to be able to promptly assess the scope of an incident.
The organization must inform the affected individuals via one of the following methods:
- Phone notification
- Written notice
- Electronic notice
- Another notification type (email, a public posting or a statewide media announcement)
As noted above, there is a caveat: Organizations do not need to notify affected individuals if the incident was an inadvertent disclosure by someone authorized to access private information and the person or business reasonably determines that the exposure will likely not result in the misuse of the information or financial or emotional harm. The organization must document this determination in writing and maintain it for at least five years. If the incident affects over 500 New York residents, the written determination must be provided to the State Attorney General within 10 days of the determination.
In short, this caveat requires you to have a clear understanding of the access to the exposed data and the data involved; otherwise, you will be unable to determine how likely the misuse of private data will be. To gauge whether you have this insight, ask yourself the following questions:
- Do you know exactly where the personal information of NY State residents is stored?
- Do you know who has permissions to access it?
- Do you know who actually has accessed it and what each of those access events involved?
- Could you figure all of this out within 10 days of an incident?
Training employees
An integral piece of a successful data security program is proper training. To comply with the NY SHIELD Act, you must:
- Designate one or more people to coordinate the data security program. Ensure that they have the skills and bandwidth to train employees effectively.
- Train all users in the security program’s practices and procedures, including how to properly handle sensitive information.
- Mitigate the risk of service providers misusing or leaking protected information by investigating their security practices and contractually bind them to safeguard private information.
Your Human Resources team will likely play a key role coordinating and implementing your data security program.
What are the consequences of noncompliance?
The New York State SHIELD Act is enforced not by private entities but by the Attorney General’s office.
If an organization fails to notify affected individuals of a data breach, those individuals may be entitled to $5,000 or up to $20 per failed notification (not to exceed $250,000), whichever is greater. Thus, a large breach could cost your organization $250,000 — which could shutter a small or mid-sized business.
While a large enterprise could absorb the financial shock more readily, its reputation could be damaged, leading to lost customers and less revenue.
How can my organization build a compliant data security program?
To comply with the NY SHIELD Act, organization must implement a data security program that has “reasonable safeguards.” Here are the core capabilities to implement.
Identify sensitive content and control access to it
To protect regulated data, you need to know where it is stored. Consider investing in a cybersecurity solution that can identify and classify sensitive data, as well as control access to it via automated access request and approval workflows that enable content owners (not IT teams) to determine who has permissions to it.
Gain visibility into risks and implement controls to reduce those risks
To prevent data breaches, you need to proactively identify internal and external risks, prioritize them, and mitigate them — and repeat this process on a regular basis as your IT environment changes and the threat landscape evolves. Comprehensive cybersecurity software can enable you to implement an effective risk assessment and mitigation program.
Implement proper retention policies
To comply with the NY SHIELD Act, you must destroy private information within a reasonable period after it’s no longer needed to conduct business. Software tools can help you implement a retention policy that ensures data is automatically deleted in compliance with SHIELD’s requirements.
You should make one or more employees responsible for coordinating your retention policy. Choose data security experts, give them the power to act independently and ensure they regularly report to the C-suite.
Audit and analyze access to sensitive information
Finally, you must be able to quickly spot any unauthorized access to sensitive information. Auditing solutions can track all activity, detect suspicious events, and report on which files were accessed and by whom.
How can Netwrix help us achieve compliance with the NY SHIELD Act?
Ensuring compliance with the NY SHIELD Act can be tricky, especially for small organizations with limited resources.
Netwrix’s Compliance Audit Solution simplifies the work of achieving and providing compliance. You can:
- Pinpoint your regulated data and lock down access to it. Minimize risks to regulated data by accurately controlling access to it, through automated access request and approval workflows and regular review and attestation by data owners.
- Detect threats in their early stages and combat them effectively. Quickly identify and shut down threats with continuous auditing, advanced analytics and automated response.
- Slash audit preparation time from weeks to minutes. Create hard evidence of your NY Shield compliance in just a few clicks. Delight auditors with easy-to-read reports on user rights, data access, system configurations and more, and answer ad-hoc questions on the spot.
- Avoid penalties. Netwrix’s Compliance Audit Solution helps you avoid stiff penalties for noncompliance by meeting incident reporting deadlines and responding promptly to data subject access requests (DSARs).
Frequently Asked Questions
Do I have to comply with the SHIELD Act?
Your organization must comply with the SHIELD Act, even if your organization is not conducting business in New York, if it stores or processes the personal data of New York residents. In particular, if you have employees or customers who are NY residents, you are subject to this law.
How does the SHIELD Act define a security breach?
Under the SHIELD Act, any unauthorized access to private information qualifies as a breach, even if an unauthorized entity merely views information and does not download or copy it. That is, any indication that private information was viewed, used or altered by a person without authorization counts as a security breach.
The state’s previous data notification law considered only the unauthorized acquisition of personal information to be a breach.
What data is protected under the SHIELD Act?
The act protects two types of data:
- Personal information — This is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier [that] can be used to identify such natural person.”
- Private information — This includes a person’s:
- Social Security number
- Driver’s license or other ID card number
- Account number or credit/debit card number (even without a security code, access code or password if the account could be accessed without such information)
- Biometric information (e.g., fingerprint, voice print, or retina or iris image)
- Login info, including username or email address, password, and security questions and answers
What are the data breach notification requirements under the SHIELD Act?
The SHIELD Act’s data breach notification requirements are as follows:
- Organizations are obliged to notify the affected individuals whenever personal or private information is disclosed to unauthorized parties.
- Companies can use written, electronic, or phone communication or another notification method, such as a public posting or an announcement via statewide media.
- Companies must send notifications “without reasonable delay.”
- Organizations must inform the State Attorney General about the data disclosure.
What are the data breach notification exceptions under the SHIELD Act?
The New York SHIELD Act excludes several types of data disclosures from its notification requirements.
The first exception is when the breach “was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” However, companies still need to document such determinations and maintain the records for at least five years.
Second, the Act doesn’t require duplicate notice to affected individuals when data breach notification is required under another regulation, such as:
- Title V of the Gramm-Leach-Bliley Act (GLBA)
- The Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH)
- New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
- Any other security rule or regulation administered by any official department, division, commission or agency of the federal or New York State governments
While organizations are not required to issue duplicate notifications to affected individuals, they are still required to notify the New York State Attorney General, the New York State Department of State Division of Consumer Protection, and the New York State Division of the State Police.
Which safeguards are required for New York SHIELD Act compliance?
Organizations are obliged to develop and maintain reasonable safeguards in several areas.
Reasonable administrative safeguards include:
- Designating one or more employees to coordinate security
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of the safeguards in place to control identified risks
- Training and managing employees in security program practices and procedures
- Selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract
- Adjusting the security program in light of business changes or other new circumstances
Reasonable technical or technological safeguards include:
- Assessing network and software design risks
- Assessing risks in information processing, transmission and storage
- Detecting, preventing and responding to attacks or system safeguards
- Regular testing and monitoring of key controls, systems and procedures
Reasonable physical safeguards include:
- Assessing the risks of information storage and disposal
- Detecting, preventing and responding to intrusions
- Protecting against unauthorized access or use of private information during or after data collection, transportation and destruction or disposal
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
Are there any exceptions for New York SHIELD Act safeguards?
Yes. There are exceptions for the following:
- Small businesses. To avoid overly burdening small businesses, the Act says that safeguards must be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information” collected. The Act defines small businesses as businesses with fewer than 50 employees, less than $3 million in gross annual revenue in the last 3 fiscal years or less than $5 million in year-end total assets.
- Organizations subject to certain other regulations. Entities compliant with Title V of GLBA, HIPAA or HITECH, 23 NYCRR 500, or other federal or state security rules are also deemed compliant under the SHIELD Act.
What are the deadlines for achieving compliance?
The law’s breach notification requirements have been in effect since October 23, 2019.
The deadline for achieving compliance with the act’s data security measures was March 21, 2020.
Are there penalties for failing to comply with the SHIELD Act?
Under the SHIELD Act’s provisions, consumers do not have a private right of action; therefore, class action litigation is not available.
However, the New York State Attorney General can bring legal action anytime within three years of the date when they become aware of the violation or the date when the entity provides notice of the breach, whichever is first. Once six years have passed after the breach, no action can be brought, provided the company hasn’t been hiding it.
The penalties vary depending on the type of violation:
- Reasonable safeguard requirement violations: Up to $5,000 per violation
- Knowing and reckless violations: The greater of $5,000 or up to $20 per instance with a cap of $250,000
- Not knowing or reckless: Damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses