New York State SHIELD (Stop Hacks and Improve Electronic Data Security) ACT
New York State SHIELD (Stop Hacks and Improve Electronic Data Security) will go into Effect March 21, 2020. This gives businesses a little less than nine months to become familiar with it and prepare for it entails.
What is the SHIELD Act? The Stop Hacks and Improve Electronic Data Security (SHIELD) Act redefines data security and data breach notification requirements for businesses. The goal of the Act is to ensure New York residents are better protected against data breaches of their personal information.
In New York’s original “Information Security Breach and Notification Act, which was effective December 7, 2005, residents had the right to know when a security breach resulted in the exposure of their private information. Private information was defined as “any personal information concerning a natural person in combination with any one or more of the following data elements: social security number, driver’s license number, account number, or credit or debit card number in combination with any required security code.”
The SHIELD Act expands the definition of “private information” which sets forth the data elements that, if breached, could trigger a notification requirement. Under the amended law, “private information” means either:
- personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
- social security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR
- a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
It should be noted that “Private information” does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
In the Act a “Breach of the security of the system” shall mean unauthorized ACCESS TO OR acquisition OF, or ACCESS TO OR acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] PRIVATE information maintained by a business. Good faith ACCESS TO, OR acquisition of [personal], PRIVATE information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.” Simply put, if access was not granted to the data, it is considered a breach, however, if being used for valid business reasons, then its ok.
So, who needs to comply with this? Any person or business that owns or license computerized data which includes private information of New York residents.
There are some exemptions:
- If exposure of private information was inadvertent and is determined that it will not cause harm to the individual (by acting responsibly and being diligent in your assessment of this),
- Businesses regulated by other state and federal regulatory laws (GLBA, HIPAA, NY DFS). Though, they are still required to Notify the attorney general.
Small businesses are subject to the reasonable safeguards requirement, however safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is considered any business with fewer than fifty employees, less than $3 million in gross annual revenue in each of the last 3 years, or less than $5 million in year-end total assets’
Reasonable safeguards include:
- the implementation of a cybersecurity program
- ensure proper oversight of the cybersecurity program
- perform risk assessments
- conduct vulnerability assessments and penetration tests
- ensure your currents controls are effective
- perform data classification and inventory
- have a proper incident response framework
- proper removal and destruction of private data that is no longer needed
- evolve as the business and regulatory requirements change.
Are there penalties? Yes, for data breach notification violations that are not intentional, the court may award damages for actual costs or losses incurred by the affected person, including substantial financial losses. For intentional or irresponsible breaches, the court may impose penalties of the greater of $5000 dollars or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, the court may impose penalties of no more than $5,000 per violation.