The New York Shield Act: All You Need to Know

New York has no data privacy law just yet, but it has a data security law that you need to know about if you do business in the Empire State. If your company conducts business in New York, you must abide by the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which New York Governor Andrew Cuomo signed into law in 2019.

The law aims to strengthen the data security measures implemented by businesses and adds data breach notification requirements for them.

Data breaches are a reality for many businesses and a risk for all others. That's why you need to learn about this law.

In this article, we'll go into detail about:

• What the New York Shield Act is
• What is private information under the Act?
• What does it require from businesses?
• The data breach notification requirements
• The safeguards that businesses need to implement
  

What is the New York Shield Act?

The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is an update of New York’s 2005 Information Security Breach and Notification Act. It brought two big updates:

• Expanded the types of personal information that companies had to provide a notice for in the case of a data breach;
• Expanded the definition of a data breach;
• Expanded the territorial scope, and
• Requires businesses to implement appropriate safeguards for data security.
  

What is private information under the Act?

The Shield Act makes a difference between personal information and private information. Personal information is any information that could identify a person.

Private information, on the other hand, is either:

• Personal information, when combined with any one or more of the following data elements:
  1. Social security number;
  2. Driver's license number or non-driver identification card number;
  3. Account number, credit or debit card number, along with any required security code, access code, password, or other information that would allow access to an individual's financial account;
  4. Account number, credit or debit card number, under circumstances where such a number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or
  4. Biometric information, which is data made by electronically measuring a person's unique physical traits, like a fingerprint, voice print, retina or iris image, or any other unique physical or digital representation of biometric data used for identification or authentication.
• A username or email address in combination with a password or security question and answer would allow access to an online account.

The Shield Act adds a few categories of data to the definition, including biometric data and data user accounts. There was no duty to report data breaches on these types of data before.

Private information does not include information that is made available through public records.

Does the New York Shield Act apply to my business?

The Shield Act applies to any business that handles the private information of New York residents.

Unlike the 2005 law that applied only to businesses conducting business from New York State, the Shield Act broadens the territorial scope to businesses from outside the state as long as they get access to a New York resident's data.

What is a data breach under the Shield Act?

The new expanded definition of a data breach now includes any access to computerized data that compromises the confidentiality, security, or integrity of private data.

The definition of the 2005 law included only the "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of private information."

The new definition, however, expands the scope of the law to include any unauthorized access to private information, not only acquiring such data.

What are the New York Shield Act breach notification and data security requirements?

The New York data breach notification law requires businesses to implement safeguards to protect the security of data under their control and to report data breaches when they occur.

Data breach notification requirements

The Shield Act requires any covered person or business to notify consumers about any breach of their private data in its computer systems. You must send the notification as soon as possible.

Aside from notifying consumers, you also have to notify the Office of the New York State Attorney General, the New York Department of State, and the New York State Police of:

• The timing, content, and distribution of the notices,
• The approximate number of affected persons

You may be allowed to provide the consumer with a substitute notification if your regular communication channels with them would cost you over $250,000, you need to contact over 500,000 people, or you just don't have contact information for all of them.

In such a case, you may notify them via:

• email notice
• conspicuous posting on the entity’s website
• notification to statewide media

Moreover, there's no legal obligation to notify consumers if:

• The breach was accidental and carried out by individuals who are authorized to handle such information, or
• You reasonably conclude that the accidental exposure is unlikely to lead to the misuse of the data, financial detriment to the impacted individuals, or emotional distress from undisclosed online credentials.

This assessment must be recorded in writing and kept for a minimum of five years. If the event impacts more than 500 New York residents, the written assessment must be submitted to the Attorney General within 10 days following the decision.

New York Shield Act reasonable safeguards

The Act proposes a number of safeguards that businesses could implement to comply with this law. These include technical, physical, and administrative safeguards.

Technical safeguards include:

• Assessing risks in network and software design;
• Assessing risks in information processing, transmission, and storage;
• Regularly testing and monitoring the effectiveness of key controls, systems, and procedures;
• Detecting, preventing, and responding to attacks or system failures.

Physical data security requirements include:

• Evaluating the vulnerabilities associated with the storage and disposal of information
• Identifying, preventing, and addressing unauthorized system breaches
• Safeguarding against unauthorized access or use of confidential data, from the point of collection and transportation to its eventual destruction or disposal
• Timely erasure of confidential data from electronic media once it's no longer required for business activities ensures it can't be read or reassembled.

Administrative security requirements include:

• Assigning one or more staff members to oversee the security measures
• Spotting likely risks from both inside and outside the organization
• Checking if the current safety measures are good enough to handle the risks identified
• Educating and guiding staff on how to follow the security program's rules and steps
• Picking vendors who can keep data safe and making sure they do so through contracts
• Updating the security plan when there are changes in the business or new situations arise

It is your duty to determine which safeguards should be added to your data security program. You are free to decide which ones are appropriate for your business and implement them.

SHIELD Act enforcement and penalties

The New York Attorney General enforces the Shield Act.

They can seek injunctive relief, restitution, or penalties. The court issues the penalties. There is an upper cap of:

• $20 per instance of failed notification, not to exceed $250,000 for failure to notify, and
• $5,000 per violation for not implementing adequate safeguards.
  

Final thoughts

The required safeguards are a no-brainer for any business that cares about personal information security. Every business that has some data protection program in place would likely comply with the SHIELD Act without taking any additional actions.