Certain provisions of the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) recently took effect in the state of New York. The act was signed into law by the governor in July 2019, and its data breach notification rules — which expanded the definition of a reportable breach and personally identifiable information (PII) covered as well as notification and reporting requirements — took effect in October 2019. However, the new data security requirements became effective on March 21, 2020, with limited fanfare amid a global pandemic. But the SHIELD Act’s security requirements have significant impact — particularly their reach to non-New York businesses that hold New York resident data.

Does the act apply to your company?

The SHIELD Act’s jurisdiction is broad, as it applies to all companies holding New York resident data. This means it is not just addressed to New York companies, but to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. The previous version of the law was limited to those companies that conduct business in New York.

How is your company impacted by the act?

The impact of the act is twofold. First, your company must disclose data breaches — as defined under the SHIELD Act to include unauthorized access as well as acquisition — and report to the New York regulators if a breach occurs. Second, your company must also implement safeguards to protect the security, confidentiality and integrity of private information (have a data security program).

While the act does not establish specific requirements, it lists various practices that are considered reasonable administrative, technical and physical safeguards. For each safeguard, the act lists actions or procedures a company should consider implementing.

1. Administrative safeguards:

• Designating one or more employees to coordinate the company’s security program;
• Identifying reasonably foreseeable internal and external risks;
• Assessing the sufficiency of the safeguards in place;
• Training and managing employees on the security program;
• Selecting providers that can maintain appropriate safeguards (and requiring same by contract); and
• Updating the security program in light of business changes or new circumstances.

2. Technical safeguards:

• Assessing risks in network and software design, as well as in information processing, transmission and storage;
• Detecting, preventing and responding to attacks or system failures; and
• Regularly testing and monitoring the effectiveness of key controls, systems and procedures.

3. Physical safeguards:

• Assessing the risks of information storage and disposal;
• Detecting, preventing and responding to intrusions;
• Protecting against unauthorized access to or use of private information;
• Disposing of private information within a reasonable time frame once it is no longer needed; and
• Erasing the information in such a way that it cannot be read or reconstructed.

Although these lists aren’t prescriptive, the act provides that any business that meets those standards is “deemed” to be in compliance with the requirement to implement and maintain reasonable safeguards. Implementation and existence of these safeguards will likely weigh heavily if a company is audited or investigated by the New York State Attorney General’s Office or if there is a breach resulting in a litigation or dispute.

Businesses should also note that service providers with access to the company’s employees’ or customers’ personal data or that in some way might provide an entryway to the company’s network or systems will be held to the same standards and best practices. Simply put, a business cannot contract its way out of legislative obligations and should scrutinize contracts and relationships with third-party service providers. Although the act only mentions service providers in the section pertaining to administrative safeguards, it is prudent for any business to require by contract that service providers maintain appropriate technical and physical safeguards as well.

Are there any exemptions?

All businesses, regardless of size, are required to disclose data breaches. However, the required safeguards are tailored to the size of the company.

Companies that meet the definition of “small business” must still maintain a data security program, but the program may be modifiable or scaled based on three factors:

1. The size and complexity of the business;
2. The nature and scope of its activities; and
3. The sensitivity of the personal information collected from or about consumers.

In order to qualify under the act as a small business, the business must satisfy one of the following features:

• Fewer than 50 employees;
• Less than $3 million in gross annual revenue in each of the last three fiscal years; or
• Less than $5 million in year-end total assets, calculated in accordance with generally accepted accounting principles.

Even if a company satisfies one of the terms to qualify as a small business, it must still implement reasonable safeguards that are appropriate based on the factors listed in the act. Small businesses should also assess their service providers’ standards based on the applicable legislative requirements.

Next steps: Review compliance with the act

Although the requirements in the SHIELD Act are high level, their implementation can be complex, especially for larger businesses. Technical safeguards particularly can involve expensive software and equipment to ensure consumer data is handled properly. Service providers are held to the same standard of reasonableness, so it’s important for businesses to understand how to incorporate the appropriate safeguards into their service contracts and obtain professional advice as necessary. Overall, companies that are subject to other robust privacy laws and regulations, such as the European Union’s General Data Protection Regulation or the recently enacted California Consumer Privacy Act, may have already grappled with many of these safeguards, but the SHIELD Act is unique in certain of its specifics, and every company that holds New York resident PII should scrutinize its security programs and policies for compliance with the act.

[View source.]