The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), or Senate Bill 5575, was enacted on July 25, 2019, as an amendment to the New York State Information Security Breach and Notification Act. The law goes into effect on March 21, 2020.
The motivation behind the SHIELD Act is to update New York's data breach notification law to keep pace with current technology. The bill broadens the scope of information covered under the notification law and updates breach notification requirements when there has been a breach of data.
It also broadens the definition of a data breach to include an unauthorized person gaining access to private information and requires organizations to employ reasonable data security.
Critically, this includes the designation of a person to run the vendor risk management process and to conduct due diligence on the data security measures of third-party vendors and service providers. To help with adherence, the SHIELD Act provides standards tailored to the size of a business and protections from liability for certain entities.
In short, the SHIELD Act imposes stronger obligations on businesses handling personal and private information to mitigate threats that contribute to identity theft, such as data breaches and data leaks.
Why is the SHIELD Act Important?
The SHIELD ACT is important because it has "extraterritorial application," which means it covers all employers, individuals, or organizations that collect private information on New York residents, regardless of location.
Previously, data breach notification requirements were limited to those that conduct business in New York. Other examples of extraterritorial data protection laws include the California Consumer Privacy Act (CCPA), the EU's General Data Protection Regulation (GDPR), and The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD).
The other important part is the mandatory implementation of a data security program with specific safeguards such as risk assessments, workforce training, incident response planning, and testing, as well as the increased scope of a security breach, such as any viewing of private information that could trigger a reporting requirement.
The law aligns the State of New York with other states such as California, Rhode Island, and Massachusetts.
How Has the SHIELD Act Changed Data Breach Notification Requirements?
The SHIELD Act amends New York's existing breach notification law and broadens notification requirements, requiring notification if compromised data is:
- Computerized data containing private information of a New York resident
- Reasonably believed to have been accessed or acquired by a person without valid authorization
The SHIELD Act has substantially expanded the definition of private information to now include-in addition to social security numbers, driver's license numbers, credit or debit card numbers, or financial account numbers-to include biometric information, email addresses, and corresponding passwords or security questions and answers and financial account numbers without a required security code if an unauthorized person could access the account.
Additionally, the definition of a data breach has been broadened to include authorized access rather than solely unauthorized acquisition. That said, the law does discern between unauthorized access in good faith.
A breach in security does not include "good faith access to, acquisition of private information by an employee or agent of the business" as long as the data is not used or subject to unauthorized disclosure. Nor is notification required where disclosure was inadvertent by persons with authorized access, and the business reasonably determines the disclosure will not result in misuse of such information or financial or emotional harm.
Nor does the SHIELD Act impose specific time constraints on data breach notification, unlike other data protection laws like GDPR, instead opting for notification "in the most expedient time possible and without unreasonable delay."
The exemption to this is covered entities who must provide notification of a breach, including breach of information (like protected health information) that is not private information to the secretary of health and human services as defined in HIPAA/HITECH, who must then provide the notification to the state attorney general within five business days of notifying the secretary.
Who Must Comply With the SHIELD Act?
The SHIELD Act broadly requires that "any person or business" that owns or licenses computerized data, which includes private information of a New York resident, "shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but limited to, the disposal of the data."
That said, entities with a data security program compliant under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and/or the New York State Department of Financial Services Cybersecurity Regulation are exempt as these laws are deemed in compliance with the SHIELD Act.
The other exemption is for small businesses that must scale their data security requirements according to their size and complexity, the nature and scope of business activities, and the nature and sensitivity of the information collection.
The SHIELD Act defines a small business as any person or business that meets one of the following criteria:
- Less than fifty employees
- Less than three million dollars in gross annual revenue in each of the last three fiscal years
- Less than five million dollars in year-end total assets, calculated following generally accepted accounting principles (GAAP)
How to Comply With the SHIELD Act
The SHIELD Act requires organizations must implement a data security program that includes at least the following:
- Reasonable administrative safeguards: such as designating one or more employees to coordinate the security program; identifying foreseeable internal and external risks; assessing the sufficiency of safeguards in place to control the identified risks; training and managing employees in the security program practices and procedures; select service providers capable of maintaining appropriate safeguards and requires those safeguards by contract, and adjusts the security program in light of business changes or new circumstances
- Reasonable technical safeguards: Assesses cybersecurity risk in network and software design; assesses risks in information processing, transmission, and storage; detects, prevents, and responds to cyber attacks or system failures; and regularly tests the effectiveness of key controls, systems and procedures
- Reasonable physical safeguards: Assesses risks of information storage and disposal; detects, prevents, and responds to intrusions; protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal; and disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
What are the Penalties For Not Complying With the SHIELD Act?
Failure to implement a compliant information security program is enforced by the New York State Attorney General and can result in injunctive relief and civil penalties of up to $5,000 per violation.
Businesses that fail to comply with the breach notification requirements can be held liable for the "actual costs or losses incurred by a person entitled to notice.” In addition, if the business violates the provision "knowingly or recklessly,” a civil penalty of the greater of $5,000 or $20 per instance of failed notification, up to a maximum of $250,000.
How is Personal Information Defined in the SHIELD Act?
The SHIELD Act defines personal information as any information concerning a natural person which, because of name, number, personal mark, or identifier, can be used to identify them.
How is Private Information Defined in the SHIELD Act?
The SHIELD Act defines private information as:
- Any personally identifiable information (PII) such as name, number, or other identifier coupled with a social security number, driver's license number or non-driver identification card number, account number, credit card or debit card number in combination with any security code, access code, password or other information that would permit access to the individual's financial account, or account number, credit card or debit card number if the individual's financial account can be accessed without additional information
- Biometric information such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data is used to authenticate or ascertain an individual's identity
- A username or email with a password or security question and answer would permit access to an online account.
The SHIELD Act is part of a growing trend in the United States toward tougher data privacy and security laws, which we've seen introduced in the EU via GDPR, Brazil via LGPD, and Canada via PIPEDA. The SHIELD Act is extraterritorial in that it applies to any business that holds private information of New York residents, regardless of whether it conducts business in New York, just like GDPR, LGPD, PIPEDA, and California's CCPA.
Additionally, the wider scope of what constitutes a data breach paired with new additionals to private information, vendor risk management requirements, and the need for specific safeguards mean that businesses need to plan for and create a formal plan for compliance by March 21, 2020, or risk exposure to penalties for noncompliance.