The Shield Act "Stop Hacks and Improve Electronic Data” Security Act was signed into law by Governor Cuomo on July 25, 2019.
In brief, The SHIELD Act expands the definition of private information, tightens breach notification requirements and requires that businesses and individuals handling sensitive information implement “reasonable” data security measures. The SHIELD Act applies to any person or entity with private information of a New York resident, not just to those that conduct business in New York State.
Our Advice
By demonstrating compliance under any of the recognized security control frameworks, businesses can de facto claim compliance with the Shield Act and therefor minimize the risk of prosecution as a result of a data breach.
Key Components
To aid in making security decisions based on the new law, below are some of the key components of the act.
[Excerpted from a July 18, 2019, post by the law firm of Kramer Levin, “Stricter Data Privacy and Cybersecurity Laws May Be Coming Soon to New York: Updates on the SHIELD Act and the New York Privacy Act.” (Note: the bold-faced emphases in text are ours.)]
Private Information
The [2005] NY Breach Notification Act defined personal information as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” For the purposes of the law, that personal information becomes “private information,” and thus subject to notification requirements in the event of a breach, when it is combined with an individual’s:
-
- Social Security Number;
- Driver’s license number or non-driver ID card number or account number; and/or
- An account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
The SHIELD Act would add three more categories to the list, including:
-
- Account number, credit or debit card number, if circumstances exist wherein such number(s) could be used to access an individual’s financial account without any additional identifying information, security code, access code or password; or
- Biometric information data generated from electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity; or
- A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account….
- Account number, credit or debit card number, if circumstances exist wherein such number(s) could be used to access an individual’s financial account without any additional identifying information, security code, access code or password; or
Expanded Notification Requirements
One of the SHIELD Act’s most significant reforms relates to the definition of a data breach. The 2005 Breach Notification Act only applies to the unauthorized acquisition of private information, but the SHIELD Act includes instances of unauthorized access. Breach victims would have to notify affected New Yorkers “in the most expedient time possible and without unreasonable delay” if data had been subjected to unauthorized access, unless the breach victim can verify that the exposure was “inadvertent” and reasonably determine it “will not likely result in misuse” or harm to affected persons. As a result, many more incidents may require notification than previously….
“Reasonable” Data Security Measures
The statute lists examples of reasonable administrative, technical and physical safeguards. These include employee training, risk assessments, regular testing of key controls and procedures, and the disposal of private information within a reasonable amount of time after it is no longer needed….
Another important point: If a business has been certified under any of the commonly recognized certification schemes (i.e. HIPAA, PCI, 800-53, CIS), then it will be considered to have satisfied this requirement under the act. This is detailed on a blog, in a 2018 article, “A Primer on the Shield Act: New York’s Move to Adopt More Stringent Date Security Requirements Part II.”
Small businesses would be considered compliant with the cybersecurity requirements of the Act “if they implement and maintain reasonable safeguards [for private information] that are appropriate to the size and complexity of the small business.” The act defines a “small business” as one consisting of fewer than 50 employees, having a gross revenue of under $3 million for last three fiscal years, or having under $5 million in assets.
Equally important, the act does not permit a business to be sued for damages resulting from data exposure through any private action. Enforcement of the act is strictly through prosecution by the New York Attorney General’s office. Businesses preferred this outcome as it removes a significant risk of nuisance lawsuits; however, data privacy advocates see this as limiting the ability to seek recourse directly.
Having a comprehensive security program in place with the ability to demonstrate compliance is essential. To avoid fines and reputational damage, iV4 can guide you through the requirements for meeting compliance regulations.
