The New York State SHIELD ACT:
Stop Hacks and Improve Electronic Data Security
What is the New York State SHIELD Act?
This new law applies to all companies in New York State or ones outside that have NYS resident data.
This law boosts the protection of consumer and employees’ private information and will hold companies that do business within the state accountable. Although there are federal and state protections of varying degrees already in existence, this New York law will have a broader impact simply due to the size of the state and the number of employees and residents.
The SHIELD Act expands the definitions of a breach and private information and requires businesses to have specific controls in place for breach prevention, detection, and response.
The NYS SHIELD Act Important Dates
- The SHIELD Act was signed into law on July 25, 2019
- Businesses must comply by March 21, 2020
SHIELD Act goes into effect in:
Who should pay attention to the NYS SHIELD Act?
Every company that has any customers in New York - whether the company is headquartered in another state or country. Size does not matter! Virtually any medium and enterprise-sized company with even one New Yorker needs to implement this new policy.
This law affects every New York consumer, however, it could affect consumers in other states. Many businesses without a New York presence may be required to comply as the law applies to any business that maintains private information of New York residents.
The SHIELD Act requires employers in possession of New York residents’ private information to safeguard that data. Security teams should work in conjunction with their Legal and HR department to instill correct processes and onboarding training.
MDS: Your Compliance Experts on the NYS SHIELD ACT
All you need to know about the NYS SHIELD Act
The NYS SHIELD Act has expanded definitions such as:
- Expands the definition of a breach
- Previously a breach was defined as the unauthorized acquisition of private information. Now it is defined as unauthorized access to private information.
- “Access” now includes viewing, downloading, or copying private information.
- Expands the definition of private information to include personal information.
- Expands businesses the law applies to
- Previously the law applied only to entities conducting business in New York, now the law applies to any entity with private information about New York residents.
- Requires “Reasonable Safeguards”
- Businesses that own or license personal information of New York State residents are now required to implement “reasonable safeguards” preventing a breach of that information.
- Expands exemptions
- Businesses are not required to notify of a breach if it occurred inadvertently by a person authorized to access the private information, and if the exposure does not result in financial or emotional harm to the individuals whose data was breached.
- Businesses are not required to notify of a breach under this Act if they have notified of the same breach under a different breach notification regulation, such as the New York Division of Financial Services (NYDFS) Cybersecurity Regulation, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), or others.
- Small businesses may tailor their information security programs based on their size, the nature of their business and the sensitivity of their private information.
- Expands violation action period
- The NY State Attorney general can bring an action against a company within three years of the violation (whereas previously it was two years).
The SHIELD law will protect the following information: biometric information resulting from facial recognition software or other means, email addresses and their passwords (as well as security questions and answers), Social Security numbers, driver’s license or non-driver ID card numbers and any account number including debit and credit card information with or without security or access codes. This results in more data elements requiring notification if breached.
- Assigning and designating one or more employees to implement a security program
- Establishing and implementing a security training program
- Testing and monitoring key controls on a regular basis
- Disposing of private information after a reasonable time frame
Some key elements with relevance to HR stakeholders include the following:
- Designating an employee or employees to coordinate the data security program.
- Training and managing employees in security program practices and procedures.
- Assessing internal and external risks and implementing controls to reduce those risks.
- Vetting service providers and binding them contractually to safeguard private information.
- Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.
The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000. New York means business when it comes to data security: by August 2019, the Attorney General’s office has levied fines of more than $600 million related to data breaches, based on existing statutes. It has also announced multiple high-profile breach investigations. With the addition of the SHIELD Act, fines are estimated to grow to $2 billion.