As was previously written, last fall New York enacted the "Stop Hacks and Improve Electronic Data Security Act" (SHIELD ACT), which required businesses having private information of New York residents to implement a written data security program that has "reasonable" data security safeguards. The legislation effects every New York employer, and many companies outside of New York, by virtue of having a New York resident’s private information. However, what may be becoming lost in the COVID-19 outbreak is that the Act’s data security requirements go into effect March 21, 2020, thereby making the requirements mandatory.
Under the SHIELD Act, any person or business that owns or licenses computerized data containing private information of a New York resident must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity" of such data. The statute is specific as to what constitutes a data security program having “reasonable safeguards.” To comply with the Act, an entity must either:
- have a data security program that complies with the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), New York’s DFS cyber regulations, or other applicable federal or New York cybersecurity regulations; or
- have a data security program with "reasonable" administrative, technical and physical safeguards.
- Reasonable administrative safeguards include:
- designating an employee to manage the data security program;
- identifying both reasonably foreseeable external and internal risks, and assessing the sufficiency of safeguards in place to control the identified risks;
- implementing effective employee training;
- conducting due diligence on third-party vendors and service providers to ensure they have appropriate data security programs, and to require "appropriate safeguards" by contract; and
- adapting the security program to business changes or new circumstances.
- Reasonable technical safeguards include:
- assessing network and software design security risks, including risks in information processing, transmission, and storage;
- ensuring adequate detection, prevention, and response processes for attacks or system failures; and
- regularly testing and monitoring the effectiveness of key controls, systems and procedures.
- Reasonable physical safeguards include:
- assessing security risks in data storage and disposal;
- ensuring adequate detection, prevention, and response processes for intrusions to physical areas;
- protecting against unauthorized access or use of private information during or after the collection, transportation, and disposal of the information; and
- implementing data retention policies that require safe disposal of private information within a reasonable amount of time after it is no longer needed for business purposes.
Small Businesses Are Not Exempt
Small businesses are not exempt from the SHIELD Act’s requirement to implement data security safeguards. The Act provides that the safeguards need only be "appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers." In reality, the provision merely reflects that a one-size-fits-all approach will not work. A small healthcare facility will be expected to have far more stringent data security safeguards than a plumbing and HVAC business. Yet, both must have appropriate programs in effect based on their operations, resources, and the sensitivity of the information collected.
The SHIELD Act defines a "small business" as "any person or business" with:
(i) fewer than 50 employees;
(ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or
(iii) less than $5 million in year-end total assets, calculated in accordance with generally accepted accounting principles.
While the COVID-19 outbreak may have momentarily diverted some attention from the SHIELD Act’s requirements, they must not be ignored. Cyberattacks already are on the rise in the wake of the outbreak. A company found non-compliant with the SHIELD Act in the wake of such an attack may find itself facing greater legal liability.
Businesses with strong data security programs in place may need only minor adjustments, or – if the programs are GLBA, HIPAA, or HITECH compliant, for instance – no adjustments at all. However, other companies – especially small and mid-sized – may require more attention, but there are efficient and effective ways to develop such programs. For companies who have not previously been required to develop programs under regulatory standards, it is best to consult qualified counsel.