Last week, Governor Cuomo signed the SHIELD Act into law. As a result, organizations that maintain private information concerning New York state residents will have to develop compliance programs before the law becomes effective in March.
The law will affect both the General Business Law § 899-aa and the State Technology Law § 208 -- impacting both private businesses and state agencies. It is divided into two parts.
The first augments the definition of private information for the purpose of giving notification following a breach of that information; and organizations must comply with these provisions by October 23, 2019. The second part is a new section 4 that requires organizations, in addition to providing notice about a breach, to implement protective measures designed to avoid a breach. Those additional requirements must be implemented by March 21, 2020.
Under the new law, private information is now defined as:
1. Social Security Numbers
2. Driver’s license number or non-driver identification card number
3. Financial account numbers along with the access codes
4. Financial account numbers that without such access codes could still be accessed
5. Biometric information such as fingerprints or voice identification
6. Email account information along with an access password
The law also expands the definition of ”breach.” In the past a breach meant that the unauthorized individual had to have acquired the information for the event to be considered a breach. The new language defines a breach as “unauthorized access to or acquisition of, or access to or acquisition without valid authorization…” Accordingly, under the new definition, merely accessing the information could constitute a breach. Thus, arguably, a ransomware event where no data is exfiltrated would still constitute a breach; since the information was accessed without authorization. We don’t believe that was the intent of the law; and this is supported by the elements the law suggests should be examined to determine whether “access” took place. These all involve viewing or copying the information. Ransomware would not involve an unauthorized person viewing the data prior to encrypting the data. But this warrants investigation to see how the state will construe the law.
Notice of a breach is not required in cases where the access was inadvertent, the individual accessing the information was otherwise authorized to access this sort of private information, and such access could not result in any likely harm to the data subjects. The organization must document both these facts and the basis for reaching the conclusion and keep the records for a period of five years. If more than 500 residents are affected, the determination and documentation must be provided to the state attorney general within 10 days of reaching that determination.
This new breach notification is not intended to require dual notifications in the event an organization must already provide notice of a breach pursuant to Gramm Leach Bliley Act, HIPAA, HITECH, NYS DFS (23 NYCRR 500) or any other state or federal law. Thus, it is essentially a catchall notification procedure for otherwise unregulated businesses.
There are many small amendments to the notification process that are too detailed to explore here. In the event your organization experiences a breach, you should navigate these carefully with your breach counsel.
The more significant amendments pertain to the duty of care an organization now owes to New York state residents to protect the private information in the first place. These may be found in the new Section 4 which will appear in § 899-bb. Organization that fall within the scope of this law must implement the following technical, administrative and physical controls to protect Private Information.
Administrative Controls:
1. designates one or more employees to coordinate the security program;
2. identifies reasonably foreseeable internal and external risks;
3. assesses the sufficiency of safeguards in place to control the
4. identifies risks;
5. trains and manages employees in the security program practices and procedures;
6. selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
7. adjusts the security program in light of business changes or new circumstances
Technical safeguards:
1. assesses risks in network and software design;
2. assesses risks in information processing, transmission and storage;
3. detects, prevents and responds to attacks or system failures; and
4. regularly tests and monitors the effectiveness of key controls, systems and procedures
Physical Safeguards:
1. assesses risks of information storage and disposal;
2. detects, prevents and responds to intrusions;
3. protects against unauthorized access to, or use of, private information during or after the collection, transportation and destruction or disposal of the information; and
4. disposes of private information that is no longer needed for business purposes within a reasonable amount of time , by erasing electronic media so that the information cannot be read or reconstructed
These safeguards are highly aligned to the small business framework outlined by the NIST organization. To actually implement safeguards that satisfy this law, an organization would need to implement a number of NIST or ISO type controls and draft corresponding policy documents.
Assessments would then need to be performed by either internal or external individuals to measure whether the implementation of these controls demonstrate meaningful compliance. In our experience, most organizations are “doing” security. But many fall short in “showing” that security is being performed, and that is the fundamental element missing to claim compliance with any given regulation.
If an organization fails to implement or show that it implemented reasonable safeguards as described above (based upon its size, risk and complexity), it is subject to injunction and penalties pursuant to an action brought by the attorney general. This new amendment does not confer a private right of action.
