The hottest IT concern today is undoubtedly data privacy. With personal data being exposed in massive breaches, resulting in issues like identity theft, state governments are adopting privacy protection laws, and a federal U.S. privacy bill is also in the works.
In particular, the New York SHIELD Act, which was signed into law by the state’s governor on July 25, 2019, and became partially effective on October 23, 2019. This article explores its key provisions, scope and penalties.
What is the New York SHIELD Act?
The “Stop Hacks and Improve Electronic Data Security” Act does three important things:
- First, it broadens the definitions of “private information” and “data breach” that existed in New York data breach notification law.
- Second, it updates the notification procedures that companies and state entities must follow when there has been a breach of private information.
- Third, the Act requires organizations to develop, implement and maintain administrative, technical and physical safeguards to protect the data of New York residents.
Each of these is discussed in more detail below.
Do I have to comply with the SHIELD Act?
Even if your organization is not conducting business in New York, you might be subject to the SHIELD Act. It applies to any individual or business that owns or licenses private information of a New York resident, including the data of employees and customers.
How does the Act define a security breach?
Under the SHIELD Act, unauthorized access to private information qualifies as a breach — even if an unauthorized entity merely views information and does not download or copy it. Previously, the State’s data notification law only considered the unauthorized acquisition of personal information to be a breach.
The definition also adds more factors for determining whether unauthorized access has taken place; they are “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
What data is protected under the SHIELD Act?
Under the New York data security act, two types of data need protection:
- Personal information. Under New York’s data breach notification law, this is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identity such natural person.”
- Private information. Certain types of computerized data could also trigger the notification requirement in case of a data breach, such as:
- Social Security number
- Driver’s license or another ID card number
- An account number or credit/debit card number (even without a security code, access code or password if the account could be accessed without such information)
- Biometric information (e.g., fingerprint, voice print, retina or iris image)
- Login info, including username/email address, password, and security questions and answers
What are the data breach notification requirements under the SHIELD Act?
Whenever personal or private information is disclosed to unauthorized parties, the organization is obliged to give notice to the individuals affected. Companies can use written, electronic or phone communication or another notification method, such as a public posting or an announcement via statewide media. The notification should be done “without reasonable delay.” The organization must also inform the State Attorney General about the data disclosure.
The law excludes several types of data disclosures from its notification requirements. The first exception is when the breach “was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” However, companies still need to document such determinations and maintain the records for at least five years.
Second, the Act doesn’t require duplicate notice to affected individuals when data breach notification is required under another regulation, such as:
- Title V of the Gramm-Leach-Bliley Act (GLBA)
- The Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH)
- New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
- Any other security rule or regulation administered by any official department, division, commission or agency of the federal or New York state governments
While organizations are not required to issue duplicate notifications to affected individuals, they are still required to notify the New York State Attorney General, the New York State Department of State Division of Consumer Protection and the New York State Division of the State Police. Therefore, failure to report a breach could result in a violation of multiple regulations (e.g., HIPAA and New York’s SHIELD Act), potentially triggering penalties under each measure.
Which safeguards are required?
Organizations are obliged to develop and maintain administrative, technological and physical safeguards as part of a written information security program.
Reasonable administrative safeguards include:
- Designating one or more employees to coordinate security
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of the safeguards in place to control identified risks
- Training and managing employees in the security program practices and procedures
- Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
- Adjusting the security program in light of business changes or other new circumstances
Reasonable technical safeguards include:
- Assessing network and software design risks
- Assessing risks in information processing, transmission and storage
- Detecting, preventing and responding to attacks or system safeguards
- Regular testing and monitoring of key controls, systems and procedures
Reasonable physical safeguards include:
- Assessing the risks of information storage and disposal
- Detecting, preventing and responding to intrusions
- Protecting against unauthorized access or use of private information during or after data collection, transportation, and destruction or disposal
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
Exception for small businesses
To avoid overly burdening small businesses, the Act says that safeguards need to be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information” collected.
The Act defines small businesses as businesses that have fewer than 50 employees, less than $3 million in gross annual revenue in each of the last 3 fiscal years; or (III) less than $5 million in year-end total assets.
Exception for organizations subject to certain other regulations
Entities that are compliant with Title V of GLBA, HIPAA or HITECH, 23 NYCRR 500, or other federal or state security rules are also deemed compliant under the SHIELD Act.
What are the deadlines for achieving compliance?
As of October 23, 2019, organizations subject to the SHIELD Act must comply with the law’s breach notification requirements. This also applies to entities already regulated by NYS DFS, HIPAA, HITECH, GLBA, and any other data security rules and regulations of the federal or New York State government.
March 21, 2020, is the deadline for achieving compliance with the Act’s data security measures.
Are there penalties for failing to comply with the SHIELD Act?
Under the SHIELD Act, consumers do not have a private right of action; therefore, class action litigation is not available.
However, the state Attorney General can bring legal action anytime within three years of the date when the Attorney becomes aware of the violation or the date when the entity provides notice of the breach, whichever is first. Once six years have passed after the breach, provided the company hasn’t been hiding it, no action can be brought.
The penalties vary depending on the type of violation:
- Reasonable safeguard requirement violations: Up to $5,000 per violation
- Knowing and reckless violations: The greater of $5,000 or up to $20 per instance with a cap of $250,000
- Notknowing or reckless: Damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses
The SHIELD act brings long-awaited clarity to critical terminology, widening the definition of “data breach” to strengthen personal data protection. Organizations now have even more reason to improve their security posture by adopting effective measures to protect individuals’ privacy.