On July 25, 2019, New York’s Governor, Andrew M. Cuomo, signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The act amends New York’s existing laws governing data breach notification requirements and becomes effective March 21, 2020. “It is our responsibility to protect the privacy of New Yorkers," said Assembly Member Michael DenDekker. "This [law] will ensure that businesses across the state dutifully guard consumer data and will enable the Attorney General’s Office to take the appropriate measures quickly and effectively in case of a breach. With the passing of the SHIELD Act, consumers’ private information will be more secure than ever.”
Overview of the Act
Notably, the SHIELD Act extends the information covered and the scope of New York’s current breach notification laws beyond entities that conduct business in the state to all persons and businesses that acquire digital information about New York state residents.
The act also recognizes that some businesses may have overlapping breach notification obligations with other existing laws, such as New York’s Department of Financial Services regulations (DFS Cybersecurity Rule), the Gramm–Leach–Bliley Act (GLBA), or the Health Insurance Portability and Accountability Act (HIPAA). The SHIELD Act, therefore, stipulates that effective October 23, 2019, entities that provide notice in accordance with other breach notification laws or regulations are no longer required to separately comply with the notification requirements of New York’s Breach Notification Law.
In addition to expanding the scope of notification requirements and accounting for overlaps of similar laws, the SHIELD Act also:
- Expands the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers
- Broadens the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard
- Updates the notification procedures companies and state entities must follow when there has been a breach of private information
- Creates reasonable data security requirements tailored to the size of a business
- Outlines penalties for businesses that fail to provide notice to consumers of a breach and the limitations period for the attorney general to act on any failure
The main focus of the SHIELD Act requires businesses to protect the private information of New York residents. “Private information” is defined as an individual’s:
- Social security number
- Driver's license number or non-driver identification card number
- Account number or credit or debit card number, in combination with any required security code, access code, or/password or other information that would permit access to an individual's financial account
- Account number or credit or debit card number if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password
- Biometric information
- A username or email address in combination with a password or security question and answer that would permit access to an online account
Private information does not include information that is lawfully made available to the general public from federal, state, or local government records.
The SHIELD Act states that “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.”
Specifically, a covered business will be “deemed in compliance” when they implement and maintain a program that incorporates administrative, physical, and technical safeguards which the Act states should include the following:
- Designate one or more employees to coordinate the security program
- Identify reasonably foreseeable internal and external risks
- Assess the sufficiency of safeguards in place to control the identified risks
- Train and manage employees in the security program practices and procedures
- Select service providers capable of maintaining appropriate safeguards and require those safeguards by contract
- Adjust the security program in light of business changes or new circumstances
- Assess risks of information storage and disposal
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
- Assess risks in network and software design
- Assess risks in information processing, transmission, and storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of key controls, systems, and procedures
The SHIELD Act allows a small business to have a slightly modified program. A small business is one that has fewer than 50 employees, less than $3M in gross annual revenue in each of the last three fiscal years, or less than $5M year-end total assets per General Accounting Accepted Principles (GAAP).
The act specifies that a small business security program is compliant when it “contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.”
Breach Notification Requirements
Unfortunately, even with the appropriate protections in place, a breach of information can still occur. The SHIELD Act expanded the definition of a breach to include unauthorized access to information in addition to unauthorized acquisition of information that compromises the security, confidentiality, or integrity of private personal information maintained by a business.
In determining whether the information is reasonably believed to have been accessed or acquired by an unauthorized person, a business should consider the following factors:
- Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information
- Indications that the information has been downloaded or copied
- Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported
Once it’s been determined that a breach has occurred, the SHIELD Act requires a business to notify affected individuals immediately. Notification methods and notification content are specified under the Act.
What Businesses Should Do to Prepare
In order to prepare for the effective date of the SHIELD Act, businesses need to assess whether or not they handle and maintain private, personal data of New York residents. If so, they should implement a data security program that follows the guidelines of the Act and update existing policies and practices that address breach notification.
Key steps in building a compliant program include:
- Designating an individual(s) to coordinate the data security program
- Assessing internal and external risks and implementing reasonable safeguards according to the Act
- Devising a plan, based on guidance under the Act, to be followed in case a data breach is suspected or occurs
- Creating procedures for securely destroying private information once it is no longer needed for business purposes
- Training employees in the policies and procedures of the company’s data security program, including how to identify and avoid risks
- Auditing any service providers to ensure that they are safeguarding applicable private information
Although the SHIELD Act doesn’t permit a private right of action, it doubles the penalty recoverable by the attorney general from $10 to $20 per failed notification and increases the maximum penalty total from $100,000 to $250,000.
In addition, data breaches, as evidenced by recent high-profile cases such as Marriott and Facebook, can have other costly consequences, including fines from federal agencies, lawsuits, and damage to the company’s reputation.
A 2018 survey conducted by the Ponemon Institute revealed some insightful statistics that support the argument that all businesses, nationwide, need to implement a data security program:
“Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.”
Businesses are encouraged, whether or not they are covered by the SHIELD Act, to implement a data security program that mitigates the inherent risks of maintaining personal customer information. Being prepared for a data breach is the first step in preventing one and can help a company avoid disaster.