The NYS SHIELD Act has expanded definitions such as:

• Expands the definition of a breach
  • Previously a breach was defined as the unauthorized acquisition of private information. Now it is defined as unauthorized access to private information.
  • “Access” now includes viewing, downloading, or copying private information.
• Expands the definition of private information to include personal information.

• Expands businesses the law applies to
  • Previously the law applied only to entities conducting business in New York, now the law applies to any entity with private information about New York residents.
• Requires “Reasonable Safeguards”
  • Businesses that own or license personal information of New York State residents are now required to implement “reasonable safeguards” preventing a breach of that information.
• Expands exemptions
  • Businesses are not required to notify of a breach if it occurred inadvertently by a person authorized to access the private information, and if the exposure does not result in financial or emotional harm to the individuals whose data was breached.
  • Businesses are not required to notify of a breach under this Act if they have notified of the same breach under a different breach notification regulation, such as the New York Division of Financial Services (NYDFS) Cybersecurity Regulation, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), or others.
  • Small businesses may tailor their information security programs based on their size, the nature of their business and the sensitivity of their private information.
• Expands violation action period
  • The NY State Attorney general can bring an action against a company within three years of the violation (whereas previously it was two years).

The SHIELD law will protect the following information: biometric information resulting from facial recognition software or other means, email addresses and their passwords (as well as security questions and answers), Social Security numbers, driver’s license or non-driver ID card numbers and any account number including debit and credit card information with or without security or access codes. This results in more data elements requiring notification if breached.

Safeguards include:

• Assigning and designating one or more employees to implement a security program
• Establishing and implementing a security training program
• Testing and monitoring key controls on a regular basis
• Disposing of private information after a reasonable time frame

Some key elements with relevance to HR stakeholders include the following:

• Designating an employee or employees to coordinate the data security program.
• Training and managing employees in security program practices and procedures.
• Assessing internal and external risks and implementing controls to reduce those risks.
• Vetting service providers and binding them contractually to safeguard private information.
• Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.

The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000. New York means business when it comes to data security: by August 2019, the Attorney General’s office has levied fines of more than $600 million related to data breaches, based on existing statutes. It has also announced multiple high-profile breach investigations. With the addition of the SHIELD Act, fines are estimated to grow to $2 billion.