New York SHIELD Act Will Impact Businesses Nationwide
The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act (S5575B) came into force on March 21st, 2020, and brings important changes for businesses and persons who hold personal data of New York residents.
Who's in scope?
The Act applies to “any person or business which […] owns or licenses computerized data which includes private information [of New York residents]”. This means that the SHIELD Act also covers businesses that are domiciled outside of the state of New York, as long as they use or hold data of the private information of at least one new Yorker. Any company, no matter its size, should be paying attention, if they have at least one New York customer.
What’s in scope?
The SHIELD Act extends the scope of “information” currently enforced under the federal Information Security Breach and Notification Act of 2005.
Personal information is “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
Private information is either
(i) any personal information combined with certain sensitive data elements, such as a Social Security Number, ID-card or driver’s license number, payment information or biometric information, or
(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account
What's considered a data breach?
The definition of the term data breach has also been extended. Before, private information needed to be actively acquired by an unauthorized party to constitute a breach. The SHIELD Act defines a data breach as “the unauthorized access to or acquisition of computerized data that compromises the security, confidentiality or integrity of private information”, meaning that as soon as data is accessed by an unauthorized party, data breach notification requirements come into play.
What obligations do businesses have?
In a nutshell, businesses must have strong security measures in place to protect personal information and must report on data breaches without undue delay.
Specifically, businesses must:
Implement and execute a reasonable security program
Designate responsible person to coordinate the data security program
Perform risk assessments
Assess the safeguards already in place to control the identified risks
Institute employee security program practices and procedures
Complete vendor and service provider risk assessments
Implement “reasonable technical safeguards”
Assess risks in software and network design
Detecting and fixing security issues, as well as responding to attacks or system failures
Regularly test and monitor the effectiveness of key controls, systems, and procedures
Deleting private information on a regular basis
Breach notification duties
If private information has been breached, businesses or persons must notify all New York residents whose data was compromised without any “unreasonable delay”
The State Attorney General, the department of state and the division of the state police should be informed about any breach notifications communicated to New York residents, amongst other details they should be provided a copy of the notice-template sent out
Fines and enforcement
The failure to provide an adequate breach notification can be penalized with the greater of $5,000 or $20 per failed notification, capped at $250,000. The New York State Attorney General, currently Letitia James, is responsible for enforcement; there is no private right of action.
How to get ready
Designate a person responsible for the data security plan
Make sure that reasonable security measures are implemented to protect private data
Perform internal and external (service provider) risk assessments
Prepare a robust plan to ensure that risks in software, hardware, data storage, and staff are regularly re-assessed
Prepare appropriate breach notification, breach notification workflows, and breach notification communication methods
Need help? Datawallet can advise you on how to get ready for the NY SHIELD Act. Contact us at firstname.lastname@example.org.Consumer PrivacyRegulatory Updates Data Misuse Data Breaches Deep Dives