On October 23, 2019, the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) went into effect. The New York law imposes data breach notification requirements on any business that owns or licenses certain private information of New York residents, regardless of whether it conducts business in New York. A second part of the Act goes into effect on March 21, 2020, requiring businesses to develop, implement and maintain a data security program to protect private information.
Determining whether the SHIELD Act applies to your business and being prepared for a data breach before one occurs is one of the best ways to limit civil monetary penalties for noncompliance, which can include up to $250,000 for breach notification violations and an uncapped amount for failure to comply with data security standards. Here we demystify the SHIELD Act and provide key actions businesses should take to comply.
Verify whether your business has private information of a New York resident.
When determining if the SHIELD Act applies to your business, a key question is whether your business owns or licenses private information of a New York resident. Generally, the Act defines private information as personal information about an individual that can identify them (for example a name) with any one or more of the following:
- Social Security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number that could be used either alone or with additional information (for example a password) to access a person’s financial account; or
- biometric information (for example a fingerprint or voice print).
Private information may also be a username or e-mail address in combination with a password or security question and answer that would permit access to a person’s online account. If your business has private information of a New York resident, the SHIELD Act may require it to disclose a breach to the resident or the state attorney general. Updating your breach notification policy and analyzing whether your business needs to disclose a breach is a key component to compliance, as discussed below.
Update your breach notification policy to include notice to New York residents.
The SHIELD Act expands New York’s breach notification law by requiring a business that owns or licenses private information to disclose any breach of the security of the system to any resident of New York whose private information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. By expanding the definition of a breach to include unauthorized access of private information, not just the acquisition of it, mere viewing of private information could trigger a reporting requirement.
In certain instances, even if a New York resident’s private information is accessed or acquired, disclosure is not required. If a business determines that an authorized person inadvertently accessed or acquired the private information and that the exposure is unlikely to result in misuse of the information or financial harm to the affected person, notice may not be required. However, the business is required to document its determination and maintain it for at least five years. Disclosure may also not be required if a business already notified the affected person pursuant to other breach notification laws such as the Health Insurance Portability and Accountability Act (HIPAA), although notification to other entities like the state attorney general may still be required.
If your business is required to disclose a breach, time is of the essence. The Act requires businesses to include certain information in the notices and to make any disclosures in the most expedient time possible and without unreasonable delay. Businesses can benefit by updating their current breach notification policy or including disclosure procedures in a data security protection program, as discussed below.
Have a data security protection program in place and follow it.
A significant feature of the SHIELD Act is its requirement for businesses that own or license a New York resident’s private information to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. There is not a one-size-fits-all model of what should go into a data security protection program but the Act does require that it include reasonable administrative, technical, and physical safeguards, which are described as follows for guidance:
Reasonable administrative safeguards may include:
- designating one or more employees to coordinate the security program;
- identifying reasonably foreseeable internal and external risks;
- assessing the sufficiency of safeguards in place to control the identified risks;
- training and managing employees in the security program practices and procedures;
- selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
- adjusting the security program in light of business changes or new circumstances.
Reasonable technical safeguards may include:
- assessing risks in network and software design;
- assessing risks in information processing, transmission and storage;
- detecting, preventing and responding to attacks or system failures;
- regularly testing and monitoring the effectiveness of key controls, systems and procedures.
Reasonable physical safeguards may include:
- assessing risks of information storage and disposal;
- detecting, preventing and responding to intrusions;
- protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Businesses that already comply with certain other data security laws (for example HIPAA) are deemed to comply with the data security program requirement of the SHIELD Act. In addition, a small business with fewer than 50 employees, less than $3 million dollars in gross annual revenue, or less than $5 million dollars in year-end total assets may comply if its security program contains safeguards that are appropriate for its size.
The passage of the SHIELD Act is part of a growing trend among states seeking to toughen data privacy and security laws. The SHIELD Act can apply to any business that holds private information of New York residents, regardless of whether it conducts business in New York. By adopting and following a formal plan that includes a breach notification policy and data security measures to protect private information, businesses can limit their exposure to penalties for noncompliance.