The “Stop Hacks and Improve Electronic Data Security” or SHIELD Act signed by New York Governor Andrew Cuomo is effective as of 3/21/20, and will apply to you if you own or license provate information on New York residents. What are the requirements? Simply put, you must develop, implement and maintain “reasonable safeguards” to protect private information. Private information is defined as online credentials, name with social security number, driver’s license number, payment card information or biometric information.
How are “reasonable safeguards” defined? The SHIELD Act states that an organization will be deemed in compliance if it:
1) Complies with one of a list of regulatory frameworks, including HIPAA, GLBA, 23 NYCRR 500 or ” any other data security rules and regulations administered by a federal or New York state government department, division, commission, or agency”, which would certainly includes NIST Cyber Security Framework.
2) Implements a data security program that includes specific elements:
- Reasonable administrative safeguards, such as:
- designating an employee to coordinate the security program;
- identifying reasonably foreseeable internal and external risks;
- assessing the sufficiency of safeguards in place to control identified risks;
- training and managing employees in the security program practices and procedures;
- selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract; and
- adjusting the security program in light of business changes or new circumstances;
- Reasonable technical safeguards, such as:
- assessing risks in network and software design;
- assessing risks in information processing, transmission, and storage;
- detecting, preventing, and responding to attacks or system failures; and
- regularly testing and monitoring the effectiveness of key controls, systems, and procedures; and
- Rasonable physical safeguards, such as:
- assessing risks of information storage and disposal;
- detecting, preventing, and responding to intrusions;
- protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposing private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
or for “small businesses” of fewer than 50 employess, less than $3M gross for the last three fiscal years, or less than $5M in year-end total assets have another option
3) Implementing reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.
The SHIELD Act will also broaden the definition of a “breach” to include not only unauthorized “acquisition” of PII, but also unauthorized “access” to PII. The SHIELD Act provides the New York Attorney General more time to bring an action for violations of the statute’s breach notification requirements, while also increasing the total amount of civil penalties available. Unlike the data security provisions of the SHIELD Act, which becameeffective on March 21, 2020, the data breach notification provisions will enter into force on October 23, 2019.
Failure to comply with these data security requirements is a violation of the state’s prohibition on deceptive acts and practices, and the New York Attorney General may pursue civil penalties of up to $5,000 per violation under N.Y. Gen. Bus. Law Section 350-d.