In the fall of last year, we wrote about the passage of the SHIELD Act (the Act) in New York, which expanded aspects of the state’s breach notification requirements (Breach Requirements) and created a statutory obligation to maintain reasonable data security (Security Requirements).  While the Breach Requirements went into effect on October 23, 2019, the new Security Requirements will kick in on March 21, 2020.  As mentioned in our previous post, the SHIELD Act will require any business or person that owns or licenses computerized, “private information” (as broadly defined in the Act) of a New York resident to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the information.  In this post, we’ll focus on what the Act says about how a business can achieve compliance with the Security Requirements.

It’s important to note that the Act does not prescribe specific safeguards or security measures that a business must implement in order to comply with the Security Requirements.  Instead, the Act sets a baseline of “reasonable safeguards” for all businesses and then identifies three situations in which businesses will be deemed in compliance with the Security Requirements.

1. Compliant Regulated Entity. A business will be deemed in compliance with the Security Requirements if it is a “compliant regulated entity” under the Act, which means the business is in compliance with data security requirements under any applicable federal or New York state laws, rules or regulations, such as the federal Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and the NY DFS Cybersecurity Requirements for Financial Services Companies.
2. Data Security Program with Administrative, Technical and Physical Safeguards. A business will be deemed in compliance with the Security Requirements if it implements a data security program that includes administrative, technical and physical safeguards such as:

Administrative Safeguards

• Designating an employee to coordinate the security program;
• Identifying reasonably foreseeable risks;
•  Assessing the sufficiency of current safeguards;
• Training and managing employees;
• Selecting service providers capable of appropriate safeguards and requiring those safeguards by contract;
• Adjusting the security program as the business or circumstances change;

Technical Safeguards

• Assessing network and software design risks;
• Assessing information processing, transmission and storage risks;
• Detecting, preventing and responding to attacks or system failures;
• Regularly testing and monitoring effectiveness of key controls, systems and procedures;

Physical Safeguards

• Assessing information storage and disposal risks;
• Detecting, preventing and responding to intrusions;
• Protecting against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal; and
• Disposing (by erasing) of private information after it’s no longer needed.

What constitutes “reasonable safeguards” under the Act can certainly vary from business to business; however, the Act provides a helpful roadmap for legal compliance.  Also, in addition to security measures for legal compliance, businesses should consider whether there are other security measures that can be implemented to improve their overall cybersecurity posture.