While most businesses have been preoccupied with navigating the effects of the COVID-19 pandemic, a significant change to businesses’ data security obligations has taken effect in New York. On March 21, 2020, the second part of the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) went into effect in New York State. The SHIELD Act was signed into law in July 2019 and part of the legislation, amending New York’s data breach notification law, went into effect last October. The new data security requirements are not limited to a specific industry, but apply to any person or business that owns or licenses computerized data that includes the private information of New York residents.[1]
The SHIELD Act mandates a covered business “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to, disposal of data.” To comply with the SHIELD Act, a business’ data security program must include the following:
- “Reasonable administrative safeguards,” such as:
- Designating “one or more employees to coordinate the security program”;
- Identifying “reasonably foreseeable internal and external risks”;
- Assessing “the sufficiency of safeguards in place to control the identified risks”;
- Training and managing “employees in the security program practices and procedures”;
- Selecting “service providers capable of maintaining appropriate safe-guards” and requiring “those safeguards by contract”; and
- Adjusting “the security program in light of business changes or new circumstances.”
- “Reasonable technical safeguards,” such as:
- Assessing “risks in network and software design”;
- Assessing “risks in information processing, transmission and storage”;
- Detecting, preventing and responding “to attacks or system failures”; and
- Regularly testing and monitoring “the effectiveness of key controls, systems and procedures.”
- “Reasonable physical safeguards,” such as:
- Assessing “risks of information storage and disposal”;
- Detecting, preventing, and responding “to intrusions”;
- Protecting “against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information”; and
- Disposing “of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”
A small business[2] complies with the SHIELD Act’s data security program requirements where its “security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
In addition, any entity that is subject to and in compliance with (i) regulations promulgated pursuant to Title V of the federal Gramm-Leach-Bliley Act, (ii) regulations implementing the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act), (iii) the New York State Department of Financial Services Cybersecurity Regulation, or (iv) any other federal or New York State data security rule, regulation, or statute, is deemed compliant with the SHIELD Act’s data security mandate.
The New York State Attorney General is empowered to enforce the SHIELD Act’s data security requirements and may seek injunctive relief and damages of up to $5,000 per violation. The Act, however, explicitly excludes a private right of action under the data security requirements section.
[1] “Private information” is defined in N.Y. Gen. Bus. § 899-aa and includes “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person” in combination with “(1) social security number; (2) driver’s license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or (5) biometric information[.]” “Private information” also includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”
[2] A “small business” is defined as “any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.”