Employers: New York’s SHIELD Act Imposes Data Security Requirements on Companies Outside of New York, Too
New York’s recently enacted Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) enhances data breach notification requirements and requires covered organizations to “develop, implement and maintain” a comprehensive data security program to safeguard “private information.” Critically, the statute applies to all companies, regardless of size or location, which own “private information” of New York residents. If your company employs New York residents, the SHIELD Act’s new data security requirements apply. The statute takes effect on October 23, 2019; although, the data security requirements are not effective until March 21, 2020.
Reasonable Safeguards Under The SHIELD Act
The SHIELD Act requires that “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information[.]” 2019 NY SB 5575, § 4.2(a). Thus, there is no requirement that the organization have a presence in New York in order for the data security requirements to apply. The statute defines “private information” to mean:
- A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account; or
- “Personal information” in combination with any one or more of the following unencrypted data elements:
- social security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number, in combination with a security code, access code, password or other information that would permit access to an individual’s financial account;
- account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.
2019 NY SB 5575, § 3.1(b).
“Personal information” is broadly defined to mean “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” Id. § 3.1(a).
An employer may demonstrate compliance with the data security requirements of the SHIELD Act by either:
- Having a data security program that complies with Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160 and 164), the New York State Department of Financial Services’ Cybersecurity Regulation at 23 NYCRR Part 500, or other federal or state data security rules and regulations; or
- Implementing a data security program that includes specified elements to address an organization’s ability to identify, protect, detect, respond and recover from a cybersecurity incident.
2019 NY SB 5575, § 4.2(b).
If an employer does not have a cybersecurity program that is compliant with GLBA, HIPAA or other federal or state regulatory schemes, its data security program must include the following elements in order to comply with the SHIELD Act:
- reasonable administrative safeguards such as the following, in which the person or business:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances; and
- reasonable technical safeguards such as the following, in which the person or business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures; and
- reasonable physical safeguards such as the following, in which the person or business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
2019 NY SB 5575, § 4.2(b)(ii).
A compliant program for a small business – narrowly defined as a business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million dollars in year-end total assets – is measured in the context of the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the personal information collected. Id. §§ 4.1(c), 4.2(c).
What Organizations Should Do
More and more states now require organizations to take affirmative action to safeguard data. The SHIELD Act’s requirements are not unlike, for instance, the standards outlined in the Ohio Data Protection Act or Pennsylvania’s common law requirements following the Pennsylvania Supreme Court’s decision in Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).
There is no one-size-fits-all approach to building a compliant data security program. However, there are some key elements that every organization should undertake in developing and implementing a data security program:
- Privacy/Security Officer. Designate a qualified employee to coordinate and oversee the data security program. (Hint: this is not just an IT designation.)
- Policies and Procedures. A written data security program requires policies and procedures outlining controls and expectations that your organization will undertake. Remember your organization’s employee handbooks, too.
- Risk Assessments. Conduct a periodic risk assessment to identify data security risks and gaps in your organization’s data security program.
- Training. Implement, maintain and enforce adequate employee training. Training should be periodic, and also part of any new employee orientation program. Your employees are your strongest/weakest line of defense.
- Third-Party Management. Vet your organization’s service providers to ensure that they have undertaken adequate data security measures.
Incident Responses. Implement a written incident response plan and practice it. Implement a business continuity disaster plan and practice that, too.
Finally, remember to consult with a cybersecurity attorney with expertise in both data privacy and data security. The law is complex and patchwork, but an attorney will guide your company on where it needs to be in the development of reasonable data security safeguards. An attorney also may assist in the development of a data security program under the auspices of the attorney-client privilege.