New York’s SHIELD Act Cheat Sheet
Effective October 23, 2019 for changes in data breach notification requirements, and March 21, 2020 for new data security requirements, New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) broadens the state’s data breach notification requirements and requires covered businesses to have “reasonable” data security safeguards. The Act applies to any person or business, even those outside of the state, owning or licensing computerized data containing “private information” of a New York resident.
Critically, the SHIELD Act requires companies to implement and maintain reasonable data security measures to protect the security, confidentiality and integrity of private information. The statute has specific criteria for what constitutes “reasonable” safeguards, including designating a person to manage the program and conducting due diligence on the data security measures of third-party service providers. The statute’s effect is to require companies that have New York residents’ private information, and those companies who do business with them, to design and implement appropriate data security programs.
I. New Data Security Requirements (Effective March 21, 2020)
Any person or business that owns or licenses computerized data which includes private information of a resident of New York must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of such data.
To comply with this requirement, an entity must either:
- have a compliant data security program under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), New York’s DFS cyber regulations, or other applicable federal or New York cybersecurity regulations; or
- have a data security program with “reasonable” administrative, technical and physical safeguards. The statute specifies what measures are required to meet a reasonableness requirement.
- Reasonable administrative safeguards include:
- designating one or more employees to manage the data security program;
- identifying reasonably foreseeable internal and external risks;
- assessing the sufficiency of safeguards in place to control the identified risks;
- providing employee training;
- conducting due diligence on third-party vendors to ensure they have appropriate data security programs, and to require “appropriate safeguards” by contract; and
- adapting the security program to business changes or new circumstances.
- Reasonable technical safeguards include:
- assessing network and software design security risks;
- assessing risks in information processing, transmission, and storage;
- ensuring adequate detection, prevention, and response processes for attacks or system failures; and
- regularly testing and monitoring the effectiveness of key controls, systems and procedures.
- Reasonable physical safeguards include:
- assessing security risks in data storage and disposal;
- ensuring adequate detection, prevention, and response processes for intrusions;
- protecting against unauthorized access to or use of private information during or after the collection, transportation, and disposal of the information; and
- adequately disposing private information within a reasonable amount of time after it is no longer needed for business purposes.
- Reasonable administrative safeguards include:
Small businesses are not exempt from implementing data security safeguards; although, the safeguards need only be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” The SHIELD Act defines a “small business” as “any person or business" with:
(i) fewer than fifty employees;
(ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or
(iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
II. Broadened Data Breach Notification Requirements (Effective October 23, 2019)
The SHIELD Act requires notification of a “breach of security” by any person or business conducting business in New York and where (1) the compromised data is computerized data containing “private information” of a New York resident, and (2) the compromised data is “reasonably believed” to have been accessed or acquired by a person without valid authorization. The SHIELD Act expands notification obligations by:
- now defining “breach of security” to include unauthorized access to data, i.e., the “unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of personal private information maintained by a business”; and
- adding data elements to covered data, including biometric data. “Private information” is defined as personal information combined with one or more of the following non-encrypted data elements:
(i) social security number;
(ii) driver’s license or non-driver identification card number;
(iii) account, credit card or debit card number, in combination with a security code, access code, password or other information that permits access to the financial account;
(iv) account, credit, or debit card number if that number alone could access an individual’s financial account; or
(iv) biometric information, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation used to authenticate or ascertain an individual’s identity.
“Private information” also includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”
“Breach of security” does not include “good faith access to, or acquisition of private information by an employee or agent of the business,” so long as the data is not used or subject to unauthorized disclosure. In addition, notification is not required where disclosure was inadvertent by persons with authorized access, and the person/business “reasonably determines” that the disclosure “will not likely result in misuse of such information,” or financial or emotional harm.
Where notification is required, it must be made “in the most expedient time possible and without unreasonable delay.”