On March 21, 2020—just as the COVID-19 crisis began upending our way of life—New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect fully.  The SHIELD Act, which amends New York’s 2005 breach notification law to “keep pace with current technology,” was signed into law on July 25, 2019 by Governor Andrew Cuomo.  The first phase of the Act went into effect in October 2019, and its second phase took effect last month.

The SHIELD Act requires persons or businesses in New York to disclose any security breach to the New York residents whose information was compromised.  The Act also gives the Attorney General the power to bring an action on behalf of the State to enforce the disclosure requirement.  This new version of the Act was split into two phases: the first phase broadened the notification requirements and the second phase requires businesses to put reasonable measures in place to protect information. 

The newly amended SHIELD Act expands the definition of “personal information” that was covered under New York’s original breach notification law to include account numbers, biometric information, and login credentials.  The definition of “breach” has also been expanded to include unauthorized access to data, not just the acquisition of data. 

Importantly, the SHIELD Act also expands the territorial reach of the law from those who conduct business in New York to any person or business that owns or licenses private information of a New York resident—much like the broad reach of the California Consumer Privacy Act.  Click here for our ongoing coverage of the CCPA.

The SHIELD Act gives the New York Attorney General Letitia James the power to bring claims and seek restitution against businesses that fail to report a breach, and allows her to bring an action for injunctive relief against businesses who fail to enact reasonable data security measures.  The SHIELD Act lists several examples of reasonable safeguards—administrative, technical, and physical—that businesses can enact to comply with the newly amended law:

• Reasonable administrative safeguards include:

(i) designating one or more employees to coordinate the security program;

(ii) identifying reasonably foreseeable internal and external risks;

(iii) assessing the sufficiency of safeguards in place to control the identified risks;

(iv) training and managing employees in the security program practices and procedures;

(v) selecting service provides capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and

(vi) adjusting the security program in light of business changes or new circumstances.

• Reasonable technical safeguards include:

(i) assessing risks in network software design;

(ii) assessing risks in information process, transmission and storage;

(iii) detecting, preventing and responding to attacks or system failure; and

(iv) regularly testing and monitoring the effectiveness of key control, systems, and procedures.

• Reasonable physical safeguards include:

(i) assessing risks of information storage and disposal;

(ii) detecting, preventing and responding to intrusions;

(iii) protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

(iv) disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Additionally, ninety days after reporting a breach to the Attorney General, the reporting business has to deliver a report on the scope of the breach along with “recommendations to restore and improve the security of the system” to the state. 

While the SHIELD Act adds significant enforcement power to the Attorney General’s arsenal and puts New York businesses on notice that they need to step up their data privacy systems, there is no private right of action.

This second phase of the SHIELD Act kicked in at an inopportune time for business owners, who are likely struggling with other security concerns; namely, the rise in phishing and hacking attempts that have proliferated with the COVID-19 crisis.  This uptick is of particular concern for businesses who have employees working from home who may have less stringent security protocols on their home networks and hardware.  Keeping your information safeguarded, pursuant to the Act’s new requirements, may help in more ways than one.