On March 21, 2020, the New York Stop Hacks and Improve Electronic Security Act (“SHIELD Act” or “Act”) goes into effect, the second major cybersecurity law to go into effect this year. Unlike other laws that apply to businesses meeting a specific revenue threshold, the SHIELD Act applies to any business or person that collects the private information of a New York resident, and covered businesses must develop a data security program.
The SHIELD Act impacts companies collecting the following unencrypted information about New York residents:
- A name, number or identifier which can be used to identify a natural person in combination with a social security number, driver’s license number; financial account information, including an account number, credit or debit card number; password or other information that would permit access to an individual’s financial account; biometric information; or a user name or email address in combination with a password.
Under the SHIELD Act, persons and businesses must establish a data security program with reasonable administrative, technical and physical safeguards. The failure to develop a compliant data security program violates New York’s deceptive acts and practices law. The New York Attorney General may bring an action to enjoin such violations. Businesses may also be liable to a civil penalty of $5,000 for each violation of the data security program requirement.
According to the law, administrative safeguards must include:
- Coordinator to manage the security program;
- Identification of foreseeable internal and external risks to the company;
- Evaluation of sufficiency of the safeguards;
- Training employees on security practices and programs;
- Requiring service providers to contractually maintain appropriate safeguards; and
- Assessing the security program in light of business changes.
Technical Safeguards must include:
- Evaluation of risks in network and software design;
- Evaluation of risks in information processing, transmission and storage;
- Detection, prevention and response to cyber attacks or system failures; and
- Monitoring the effectiveness of key controls, systems and procedures on a regular basis.
Physical Safeguards must include:
- Evaluation of risks of the storage and disposal of information;
- Detection, prevention and response to intrusions of the system;
- Ensuring protection against unauthorized access to or use of private information during or after the collection, transportation and destruction of such information; and
- Disposing of private information within a reasonable amount of time after the information is no longer needed for a business purpose.
In preparing for the implementation of a compliant data security program under the SHIELD Act, businesses should:
- Determine whether the company meets the Act’s definition of “small business”, as this determination may result in a more flexible standard under the law;
- Determine whether the company has a written information security program already in place;
- If the company does not have a written information security program in place, the company should evaluate its current data security practices, including the appointment of an individual overseeing the data security program and retaining an outside vendor to conduct a risk assessment for the company;
- If the company has a written information security program in place, the company should determine if it is compliant with the SHIELD Act or a recognized data security standard.
The New York SHIELD Act is certain to influence the cybersecurity framework in the United States. Due to the large number of residents in New York, businesses must evaluate and consider updating their data security programs as soon as possible to ensure compliance with New York’s law.