The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) or Senate Bill 5575, was enacted on July 25, 2019 as an amendment to the New York State Information Security Breach and Notification Act. The law goes into effect on March 21, 2020.
The motivation behind the SHIELD Act is to update New York's data breach notification law to keep pace with current technology. The bill broadens the scope of information covered under the notification law and updates breach notification requirements when there has been a breach of data.
It also broadens the definition of a data breach to include an unauthorized person gaining access to private information and requires organizations to employ reasonable data security.
Critically, this includes the designation of a person to run the vendor risk management process and to conduct due diligence on the data security measures of third-party vendors and service providers.
To help with adherence, the SHIELD Act provides standards tailored to the size of a business and protections from liability for certain entities.
In short, the SHIELD Act imposes stronger obligations on businesses handling private information and personal information in an attempt to mitigate threats that contribute to identity theft, such as data breaches and data leaks.
Table of contents
- Why is the SHIELD Act important?
- How has the SHIELD Act changed data breach notification requirements?
- Who must comply with the SHIELD Act?
- How to comply with the SHIELD Act
- What are the penalties for not complying with the SHIELD Act?
- How is personal information defined in the SHIELD Act?
- How is private information defined in the SHIELD Act?
- Key takeaways
- How UpGuard can protect private information and assess technical safeguards
1. Why is the SHIELD Act important?
The SHIELD ACT is important because it has "extraterritorial application" which means it covers all employers, individuals or organizations, regardless of location, that collect private information on New York residents. Previously, data breach notification requirements were limited to those that conduct business in New York. Other examples of extraterritorial data protection laws include the California Consumer Privacy Act (CCPA), the EU's General Data Protection Regulation (GDPR) and The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD).
The other important part is the mandatory implementation of a data security program with specific safeguards such as risk assessments, workforce training, incident response planning and testing, as well as the increased scope of a security breach is, e.g. any viewing of private information could trigger a reporting requirement.
The law brings the State of New York in line with other states such as California, Rhode Island and Massachusetts.
2. How has the SHIELD Act changed data breach notification requirements?
The SHIELD Act amends New York's existing breach notification law and broadens notification requirements, requiring notification if compromised data is:
- Computerized data containing private information of a New York resident
- Reasonably believed to have been accessed or acquired by a person without valid authorization
The SHIELD Act has substantially expanded the definition of private information to now include-in addition to social security numbers, driver's license numbers, credit or debit card numbers, or financial account numbers-to include biometric information, email addresses and corresponding passwords or security questions and answers and financial account numbers without a required security code if an unauthorized person could access the account.
Additionally, the definition of a data breach has been broadened to include authorized access rather than solely unauthorized acquisition.
That said, the law does discern between unauthorized access in good faith. A breach is security does not include "good faith access to, acquisition of private information by an employee or agent of the business" as long as the data is not used or subject to unauthorized disclosure. Nor is notification required where disclosure was inadvertent by persons with authorized access and the business reasonably determines the disclosure will not result in misuse of such information or financial or emotional harm.
Nor does the SHIELD Act impose specific time constraints on data breach notification, unlike other data protection laws like GDPR, instead opting for notification "in the most expedient time possible and without unreasonable delay".
The exemption to this is covered entities who must provide notification of a breach including breach of information (e.g. protected health information) that is not private information to the secretary of health and human services as defined in HIPAA/HITECH who must then provide the notification to the state attorney general within five business days of notifying the secretary.
3. Who must comply with the SHIELD Act?
The SHIELD Act broadly requires that "any person or business" that owns or licenses computerized data which includes private information of a New York resident "shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but limited to, the disposal of the data".
That said, entities with a data security program compliant under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and/or the New York State Department of Financial Services Cybersecurity Regulation are exempt as these laws are deemed in compliance with the SHIELD Act.
The other exemption is for small businesses who must scale their data security requirements according to their size and complexity, the nature and scope of business activities and the nature and sensitivity of the information collection.
The SHIELD Act defines a small business as any person or business who meets one of the following criteria:
- Less than fifty employees
- Less than three million dollars in gross annual revenue in each of the last three fiscal years
- Less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles (GAAP)
4. How to comply with the SHIELD Act
In order to comply with the SHIELD Act organizations must implement a data security program that includes at least the following:
- Reasonable administrative safeguards: such as designating one or more employees to coordinate the security program; identifying foreseeable internal and external risks; assess the sufficiency of safeguards in place to control the identified risks; trains and manages employees in the security program practices and procedures; selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and adjusts the security program in light of business changes or new circumstances
- Reasonable technical safeguards: Assesses cybersecurity risk in network and software design; assesses risks in information processing, transmission and storage; detects, prevents and responds to cyber attacks or system failures; and regularly tests the effectiveness of key controls, systems and procedures
- Reasonable physical safeguards: Assesses risks of information storage and disposal; detects, prevents and responds to intrusions; protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal; and disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
5. What are the penalties for not complying with the SHIELD Act?
Failure to implement a compliant information security program is enforced by the New York State Attorney General and can result in injunctive relief and civil penalties of up to $5,000 per violation.
Businesses that fail to comply with the breach notification requirements can be held liable for the "actual costs or losses incurred by a person entitled to notice". In addition, if the business violates the provision "knowingly or recklessly", a civil penalty of the greater of $5,000 or $20 per instance of failed notification, up to a maximum of $250,000.
6. How is personal information defined in the SHIELD Act?
The SHIELD Act defines personal information as any information concerning a natural person which, because of name, number, personal mark, or identifier, can be used to identify them.
7. How is private information defined in the SHIELD Act?
The SHIELD Act defines private information as:
- Any personally identifiable information (PII) such as name, number or other identifier coupled with social security number, driver's license number or non-driver identification card number, account number, credit card or debit card number in combination with any security code, access code, password or other information that would permit access to the individual's financial account, or account number, credit card or debit card number if the individual's financial account can be accessed without additional information
- Biometric information such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which is used to authenticate or ascertain an individual's identity
- A username or email in combination with a password or security question and answer that would permit access to an online account.
8. Key takeaways
The SHIELD Act is part of a growing trend in the United States toward tougher data privacy and security laws, which we've seen introduced in the EU via GDPR, Brazil via LGPD and Canada via PIPEDA. The SHIELD Act is extraterritorial in that it applies to any business that holds private information of New York residents, regardless of whether it conducts business in New York, just like GDPR, LGPD, PIPEDA and California's CCPA.
Additionally, the wider scope of what constitutes a data breach paired with new additionals to private information, vendor risk management requirements and the need for specific safeguards mean that businesses need to plan for and create a formal plan for compliance by March 21, 2020 or risk exposure to penalties for noncompliance.
9. How UpGuard can protect private information and assess technical safeguards
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
We're experts in data breaches and data leaks, our research has been featured in the New York Times, Wall Street Journal, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.