How Organizations Should Get Ready for the New York SHIELD Act
In the absence of comprehensive federal data protection privacy standards, states are taking matters into their own hands by passing legislation to protect the private information that companies acquire from individuals. In July, Governor Cuomo of New York signed the SHIELD act (Stop Hacks and Improve Electronic Data Security). The law defines the requirements for any individual or company that handles the private information of a New York resident – not just companies that operate in New York State.
The New York SHIELD act makes changes and additions in five primary areas:
- The Definition of “private information” now includes:
- Biometric information
- Credit/debit card numbers or financial account numbers if this information would make it possible to access an account without any additional identifying information
- Security codes, access codes, and passwords
- A username or email address in combination with a password or security question and answer that would permit access to an online account.
- The definition of the term “breach” now includes incidents that involve unauthorized access – even if no data has been stolen. The act addresses situations in which the breaches are inadvertent and not likely to result in a misuse of information. Companies must document these incidents and maintain any documentation for five years. If inadvertent breaches involve more than 500 New York residents, the state attorney general must be notified within ten days after impact is determined.
- The penalties for knowingly or recklessly violating SHIELD’s breach notification provision have increased from $10 to $20 per failed notification, and the maximum penalty has increased from $100,000 to $250,000. The law does not include a right to private legal action, but the New York State Attorney General can bring an action in court, and the court may award damages, including consequential financial losses for a failed notification.
- Data Security Program: Organizations will need to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity” of private information, including methods for data Even though SHIELD sets forth no specific standards, a company is only deemed compliant if it implements a data security program that includes:
- The designation of one or more employees to coordinate a security program
- The identification of reasonably foreseeable internal and external risks
- An assessment of the sufficiency of safeguards in place to control identified risks
- Employee training in security program practices and procedures
- Proper oversight of safeguard-compliant vendors
- Adjusting the security program to align with changes to the business
- Implementing reasonable technical and physical safeguards as detailed by SHIELD
- The disposal of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. The amount of time in which the Attorney General can take action against a violation of this provision has increased from two to three years (from the date that the Attorney General is made aware of the violation or the date that the covered entity provides notice of the breach). No action can be taken beyond six years from the date the breach was discovered unless the company took steps to hide the breach.
Small businesses which have fewer than 50 employees and less than $3 million in gross revenue over the past three years (or less than $5 million in total assets as of the last year end) are only required to implement data security safeguards “appropriate for the size and complexity” of the business, “the nature and scope” of the activities of the business, and the “sensitivity of the personal information” handled by the business.Overlap
If a business is already in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) cybersecurity rules, or the NY State Department of Financial Services’ cybersecurity requirements for financial services companies, they are also deemed compliant with the SHIELD Act.
The SHIELD Act’s breach notification provisions will take effect on October 23, 2019, while the Act’s new data protection safeguards will take effect on March 21, 2020.
Recommendations for Businesses
Businesses should take several steps to be ready for compliance:
- Businesses should identify and train the employee or employees who will coordinate the required data security program. Larger organizations should train multiple employees, ideally a separate employee for each department.
- The training should be ongoing and include continuous information sharing to ensure knowledge of changing risks and requirements.
- Executives across the organization should be made aware of all SHIELD requirements and should assist IT in assessing security risks, especially with regards to negligent behaviors and malicious insiders.
- All employees should be trained to be swift and proactive in reporting suspicious activity like phishing emails. Employees should understand the importance of reporting suspicious activity, especially as it pertains to the company’s obligations to assess the severity of the damage and notify the proper authorities.
- All executives should be made aware of the need to negotiate proper information security provisions in vendor agreements.
- CISOs and GRC executives should get all business units involved in risk assessments in order to more easily identify risks and implement appropriate controls.
- Businesses should invest sufficiently in training employees on security program practices and procedures. A company that invests in training will not only be satisfying a required element for a compliant data security program but can accrue other benefits like customer confidence, and a reduced risk of reputational harm.
- Businesses should adopt a risk-based approach to security by placing emphasis on the assessment of internal and external risks and implementing controls to reduce those risks based on the probability of occurrence and size of potential losses. This should be done with multiple participants from across the organization to yield a more accurate picture.
- Businesses should include legally binding security standards in vendor contracts and establish procedures for the pre-hire vetting of service providers.
- Policies for securely destroying private information that is no longer needed for business purposes should be established (or reviewed and updated) and implemented.
The New York SHIELD Act is representative of many of the privacy and data protection laws and regulations, which are quickly growing in number throughout the U.S. and globally. Each law has its nuances, but the general themes are similar: companies must do a better job of protecting consumers’ personal data, and allow consumers to take control of their personal data. Businesses should begin integrating cybersecurity and privacy best practices in all aspects of the organization in order to make compliance with each new law less onerous.