New York has enacted the SHIELD Act to amend the state’s data breach notification law to impose more expansive data security and data breach notification requirements on companies. The move aims to ensure New York residents are better protected against data breaches of their private information.
Governor Andrew Cuomo signed the SHIELD Act, which was sponsored by Senator Kevin Thomas and Assemblymember Michael DenDekker, on July 25, 2019. The SHIELD Act takes effect on March 21, 2020.
In this editiion, our VP of Compliance answers the most necessary questions in preparation of this new Act including:
- What does SHIELD stand for?
- Who needs to comply?
- What do I need to do to comply?
- What is considered "Personal Information"?
- What are "reasonable" data security requirements?
- Would the SHIELD Act include any exceptions for small businesses?
- What are the proposed penalties for noncompliance?
- How can DE help me stay in compliance?
Stop Hacks and Improve Electronic Data Security
The SHIELD Act provides that any person or business that owns or licenses computerized data that includes New York residents’ private information must comply with the breach notification requirements, regardless of whether the person or business conducts business in New York.
The SHIELD Act imposes requirements in two areas: cybersecurity and data breach notification. The cybersecurity provisions of the proposed SHIELD Act would require companies to adopt “reasonable safe-guards to protect the security, confidentiality and integrity” of private information. The Act provides examples of appropriate administrative, technical, and physical safeguards, such as designating an employee to oversee the company’s data security program; identifying “reasonably foreseeable” risks to data security; selecting vendors that can maintain appropriate safeguards; detecting, preventing and responding to attacks and system failures; and preventing unauthorized access to private information. The Act also attempts to set out a number of alternative ways a company can ensure it is considered compliant with the cybersecurity provisions.
The Act also deems companies that have been annually certified by an authorized third party assessor as compliant with any of several specified cybersecurity standards to be complaint with the cybersecurity provisions of the Act, as long as there is no evidence of willful misconduct, bad faith, or gross negligence.
Unlike other state data breach notification laws, New York’s original data breach notification law included definitions for “personal information” and “private information.” “Personal information” remains: “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
However, the SHIELD Act expands the definition of “private information,” which explains the data elements that, if breached, could trigger a notification requirement.
Under the amended law, “private information” means:
• Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
- Social Security number;
- Driver’s license number or non-driver identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity;
• A user name or email address in combination with a password or security question and answer that would permit access to an online account.
The SHIELD Act provides that any person or business that owns or licenses computerized data that includes a New York resident’s private information must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. Businesses in compliance with such laws as HIPAA and the GLBA are considered in compliance with this requirement.
The law provides examples of practices considered reasonable administrative, technical, and physical safeguards. For example, risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time are all practices that qualify as reasonable safeguards.
Yes. Small businesses would be considered compliant with the cybersecurity requirements of the Act “if they implement and maintain reasonable safeguards [for private information] that are appropriate to the size and complexity of the small business.” The Act defines a “small business” as one consisting of fewer than 50 employees, having a gross revenue of under $3 million for last three fiscal years, or having under $5 million in assets.
Any company that fails to comply with the cybersecurity requirements of the Act is considered to have violated New York’s law prohibiting deceptive acts and practices. While the Act does not provide a private right of action to consumers, the Act authorizes the attorney general to bring an action for damages of not more than $5,000 per violation, pursuant to New York General Business Law 350-d.
The Act also would increase the penalties for a company’s failure to provide proper notice of a data breach to affected data subjects. Actual damages are available for failure to notify where notification was required, as is the case in the existing New York law. Companies that knowingly or recklessly fail to issue proper notice may be subject to a civil penalty of the greater of $5,000, or $20 per failed notification (up from $10 per failed notification), the latter of which is capped at $250,000 (up from $150,000 under New York’s current breach notification law).
Digital Edge is an expert in compliance standards, is certified by International Standard Organization on Information Security and Quality (ISO 27001). There is a clear crosswalk between the SHIELD Act and ISO standards. Digital Edge will help to implement policies, standards and practices to cover all DFS requirements based on International Standards Organization framework.
Contact us today to further explore how our team can provide your business with an unparalleled cybersecurity solution, with our continued focus on Stability, Security, and Compliance.