The Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) imposes substantive data security requirements on businesses collecting New York resident private information. The data security requirements under the SHIELD Act will take effect on March 21, 2020. Under the SHIELD Act, any business that retains computerized private information of New York residents must develop a data security program to protect the private information. The SHIELD Act defines private information as unencrypted information that can identify a person in combination with a social security number, driver’s license number, financial account information, including an account number, credit or debit card number, biometric information, a user name or email address in combination with a password or any unsecured protected health information held by a “covered entity.”
The SHIELD Act requires businesses to establish a data security program and prescribes specific components when implementing administrative, technical and physical safeguards.
Administrative safeguards must include:
- Coordinator to manage the security program;
- Identification of foreseeable internal and external risks to the company;
- Evaluation of sufficiency of the safeguards;
- Training employees on security practices and programs;
- Requiring service providers to contractually maintain appropriate safeguards; and
- Assessing the security program in light of business changes.
Technical Safeguards must include:
- Evaluation of risks in network and software design;
- Evaluation of risks in information processing, transmission and storage;
- Detection, prevention and response to cyber attacks or system failures; and
- Monitoring the effectiveness of key controls, systems and procedures on a regular basis.
Physical Safeguards must include:
- Evaluation of risks of the storage and disposal of information;
- Detection, prevention and response to intrusions of the system;
- Ensuring protection against unauthorized access to or use of private information during or after the collection, transportation and destruction of such information; and
- Disposing of private information within a reasonable amount of time after the information is no longer needed for a business purpose.
Businesses that are required to comply with the data security requirements under the following laws are deemed to be compliant with the data security program requirements: Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and Part 500 of Title 23 of the official compilation of codes, rules and regulations of the state of New York (Cybersecurity Requirements for Financial Services Companies).
Additionally, any business defined as a small business under the SHIELD Act is deemed to be compliant with the data security requirements if the small business’s security program has reasonable administrative, technical and physical safeguards that are appropriate for the size of the business, the nature and scope of the business’s activities, and the sensitivity of the personal information that the business collects from consumers. A small business is defined as a business with (1) fewer than fifty employees; (2) less than three million dollars in gross annual revenue in each of the previous three fiscal years; or (3) less than five million dollars in year-end total assets.
The SHIELD Act also amended New York’s data breach notification law. The amendment broadens the definition of a “breach of the security of the system” to include unauthorized access of computerized private information. The SHIELD Act expanded the applicability of the notification provision from businesses that conducted business in the State to any business that owns computerized private information. The amended provisions provide an exemption from the notification requirements if the exposure of the private information was an inadvertent disclosure that is unlikely to result in harm to the affected persons. Additionally, any covered entity required to provide notification of a breach to the Secretary of Health and Human Services under HIPAA must also notify the New York State Attorney General within five business days of notifying the Secretary. The data breach notification provisions of the SHIELD Act take effect on October 23, 2019.
Any business that fails to develop a compliant data security program will violate New York’s deceptive acts and practices law. The attorney general may bring an action to enjoin such violations. Businesses may also be liable to a civil penalty of $5,000 for each violation of the data security program requirement. The SHIELD Act does not specify a limit for the civil penalty nor does it define what is considered a single violation of the data security program requirement. Any business that violates the data breach notification requirement may be fined the greater of $5,000 or up to $20 per instance (with a cap of $250,000).
With an effective date months after the California Consumer Privacy Act, the SHIELD Act is one of many data privacy laws passed in recent months aimed at protecting consumer’s personal information.