New York’s SHIELD Act, key questions answered
New York's SHIELD Act comes into effect in March 2020. In preparation, we've compiled some basic info about what the law entails.
Signed into law in July 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to impose additional data security and data breach notification requirements on businesses it applies to. Here are the answers to a few of the most frequently asked questions about it.
1. Who does it apply to?
The act applies to any entity, regardless of size or location, that collects or possesses computerised private data pertaining to residents of New York State. This is a noticeable departure from the current requirement that entities must conduct business in the State of New York.
2. What are the key requirements of the act?
The key requirements of the act relate to two main areas: data breach notifications and reasonable safeguards to protect private information.
Data breach notifications: The SHIELD act requires entities to notify affected individuals if a “breach of the security system” results in a compromise of New York state residents’ private information, which is defined as:
- Personal information, usually a name, in combination with: a social security number; a driver’s license number or non-driver identification card number; an account, credit or debit card number in combination with any required security code that would permit access to an individual’s account; or biometric information, such as a fingerprint, voice print or retina image.
- A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
In those instances where a breach of the security system has resulted in the compromise of private information, the entity in question has to give notice to affected individuals through by mail, email, or phone, or under certain conditions, through a substitute notice posted on the business’s website
Unlike the California Consumer Protection Act, the SHIELD Act does not create a private right of action.
Reasonable safeguards: The SHIELD Act also requires entities to have reasonable safeguards in place to protect private information. These safeguards can be broken down into three sections:
- Reasonable administrative safeguards, such as designating one or more employees to co-ordinate the security program, identifying internal and external risks, training employees in the security program practices and procedures, and more.
- Reasonable technical safeguards, such as assessing risks in network and software design and information processing, transmission and storage, implementing measures respond to attacks or system failures, and regular monitoring of the effectiveness of key controls.
- Reasonable physical safeguards, such as assessing the risk of information storage and disposal, implementing measures to detect, prevent and respond to intrusions, having protections against unauthorized access to private information during or after the collection, transportation and disposal of information.
It’s worth noting that entities can be deemed in compliance with the reasonable safeguards requirement if they are both subject to and compliant with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), The New York Department of Financial Services Cybersecurity Regulation or any other data security rules and regulations of the federal or New York state government. In addition, if an entity has already notified affected individuals in accordance one of the acts mentioned above, the SHIELD Act does not require additional notification but still requires notice to the New York Attorney General, the New York Department of State and the New York Police.
It’s also worth noting that small businesses with less than 50 employees, less than $3m in annual revenue, or less than $5m in year-end total assets are able to scale the “reasonable safeguards” in accordance to the size and complexity of the business.
3. What are the consequences of non-compliance?
In the event that a business does not comply with the notification requirements of the SHIELD Act, the attorney general can bring an against the entity or employees of the entity that can result in a civil penalty of $5,000 or up to $20 per instance of failed notification up to a total amount of $250,000.
In the event that that the business fails to comply with the reasonable safeguards, the attorney general can bring an action against the entity or that can result in a civil penalty of up to $5,000. In theory, this applies to any violation of the requirement, so it could be applied even if there has been no breach of private information.