Amid the escalating COVID-19 situation, one may easily overlook the fact that New York's Stop Hacks and Improve Electronic Data Security Act entered into force March 21. What does this mean for your business?

The key changes of the SHIELD Act include expanding the definitions of “private information,” what constitutes a “breach,” and requiring businesses that own or license New York residents’ private information to implement and maintain security safeguards.

Here is the breakdown of some of the key changes introduced in the SHIELD Act.

The SHIELD Act expands the definition of “private information” that may trigger notification to include the following types of data: (1) biometric information, including a fingerprint, voice print, retina or iris image; (2) account number, credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account without additional identifying information; and (3) usernames or email addresses, in combination with a password or security question and answer that could permit access to an online account.

The definition of what may constitute a “data breach” has been expanded to now include the “unauthorized access” to “private information,” whereas the law previously only covered the unauthorized acquisition of “private information.” In determining whether information has been accessed or is reasonably believed to have been accessed by an unauthorized person or a person without valid authorization, the SHIELD Act provides that "factors to consider include indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person."

There is an exception to the breach notification obligation when the exposure of private information was due to an inadvertent disclosure by persons authorized to access private information and the person or business makes a reasonable determination (which must be documented in writing and maintained for at least five years) that such exposure "will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials."

There is also an exception to the breach notification obligation if notification is already made pursuant to other regulations, such as those promulgated under the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, New York Division of Financial Services Cybersecurity Regulation or by another official department, division, commission or agency of the federal or New York state government.

Perhaps one of the key requirements of the SHIELD Act is that it requires businesses that own or license New York residents’ private information to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data." A business will be deemed in compliance with the SHIELD Act if it implements a data security program that includes "reasonable administrative, technical and physical safeguards." Elements for each are outlined below. 

Reasonable administrative safeguards include the following:

• Designating one or more employees to coordinate the security program identifying reasonably foreseeable internal and external risks.
• Assessing the sufficiency of safeguards in place to control the identified risks.
• Training and managing employees in the security program practices and procedures.
• Selecting service providers capable of maintaining appropriate safeguards, requiring those safeguards by contract.
• Adjusting the security program in light of business changes or new circumstances.

Reasonable technical safeguards include the following:

• Assessing risks in network and software design.
• Assessing risks in information processing, transmission and storage.
• Detecting, preventing and responding to attacks or system failures.
• Regularly testing and monitoring the effectiveness of key controls, systems and procedures.

Reasonable physical safeguards include the following:

• Assessing the risks of information storage and disposal.
• Detecting, preventing and responding to intrusions.
• Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information.
• Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

A business is also deemed to be in compliance with the SHIELD Act’s data security requirements if it is already in compliance with other security laws, such as Title V of GLBA, HIPAA or the New York State Department of Financial Services Cybersecurity Requirements.

In relation to small businesses, the SHIELD Act simply requires "reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.”

In terms of possible enforcement actions, the attorney general may pursue civil penalties for violations, but the SHIELD Act expressly provides that there is no private right of action.

Companies that fail to comply with these security requirements may face civil penalties of up to $5,000 per violation. The penalty for failing to comply with the breach notification requirement is subject to a penalty of $20 per instance of failed notification, but the penalty cannot exceed the cap of $250,000.

Because the security requirements of the SHIELD Act apply to any business that collects or maintains private information of a resident of New York, the law is likely to have a broad impact since many companies will hold personal information relating to one or more New York residents.

Photo by Jonathan Riley on Unsplash