The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law by Governor Andrew Cuomo of New York on July 25, 2019. The SHIELD Act amended the state's existing data breach notification law by expanding the definitions of "private information" and "breach of the security of the system" and broadening the territorial scope of the notification requirements. The SHIELD Act also added new "reasonable" data security requirements. The data breach-related amendments were effective on October 23, 2019 and the data security requirements were effective on March 21, 2020.
The latter deadline may not have been high on the radar of some companies as they grappled with pandemic-related issues. It may now be time to focus on these new data security requirements. Companies subject to the SHIELD Act should ensure that all required data security safeguards are in place and that they remain vigilant against cyber threats, including coronavirus-themed malware, ransomware, and phishing attacks attempting to exploit new work from home arrangements and other disruptions in business operations caused by the pandemic.
The SHIELD Act requires any person or business that owns or licenses computerized data that includes the private information of any New York resident to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information, including, but not limited to, the disposal of data. The term "private information" is broadly defined to include either:
A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Certain "compliant regulated entities" subject to other data security requirements, such as those under the regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), will be considered to be in compliance with the data security requirements under the SHIELD Act. The SHIELD Act also includes some limited compliance relief for businesses that meet one of the following conditions:
Small businesses that meet one of the requirements above must still adopt reasonable and appropriate administrative, technical, and physical safeguards, but those safeguards may be designed to reflect the following:
The SHIELD Act does not mandate specific data security safeguards. Instead, the SHEILD Act provides the following examples of practices that, if implemented, will be deemed to be reasonable administrative, technical, and physical data safeguards:
The SHIELD Act establishes a compliance floor. It does not assume that companies should only adopt the measures identified above to protect the confidentiality, security, and integrity of the personal information they maintain about New York residents. In addition to the safeguards outlined in the SHIELD Act, companies should consider adopting other safeguards, such as the following:
Although the SHIELD Act does not provide for a private right of action for violations, the New York Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. A court may impose a civil penalty of not more than $5,000 per violation of the reasonable data security requirements.
Companies should not adopt a "privacy distancing" strategy, even if they are not subject to the data security requirements under the SHIELD Act. Companies should continuously assess and review both their data breach prevention and incident response plans and data security programs. Data breaches happen, but they are less likely to happen if a company has employed and maintains a comprehensive and agile data security program.
Any company that holds the "computerized data which includes private information" of any New York resident, regardless of whether the company does business in New York, must comply the new data security requirements under the SHIELD Act, unless the company is required to comply with other specific data security requirements. Companies subject to the SHIELD Act should review their data security programs to identify the private information they collect about New York residents and, at a minimum, implement the security measures outlined in the SHIELD Act. It is time to get closer than six feet to the SHIELD Act.