Top 4 Questions on the "Reasonable" Data Security Requirements under New York's SHIELD Act


New Data Security Requirements were Effective March 21, 2020

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law by Governor Andrew Cuomo of New York on July 25, 2019. The SHIELD Act amended the state's existing data breach notification law by expanding the definitions of "private information" and "breach of the security of the system" and broadening the territorial scope of the notification requirements. The SHIELD Act also added new "reasonable" data security requirements. The data breach-related amendments were effective on October 23, 2019 and the data security requirements were effective on March 21, 2020.

The latter deadline may not have been high on the radar of some companies as they grappled with pandemic-related issues. It may now be time to focus on these new data security requirements. Companies subject to the SHIELD Act should ensure that all required data security safeguards are in place and that they remain vigilant against cyber threats, including coronavirus-themed malware, ransomware, and phishing attacks attempting to exploit new work from home arrangements and other disruptions in business operations caused by the pandemic.

  1. What businesses are subject to the data security requirements under the SHIELD Act?

    The SHIELD Act requires any person or business that owns or licenses computerized data that includes the private information of any New York resident to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information, including, but not limited to, the disposal of data. The term "private information" is broadly defined to include either:

    1. Personal information (i.e., any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person) in combination with any one or more of the following data elements:
      1. Social security number;
      2. Driver's license number or non-driver identification card number
      3. Account number, credit or debit card number, in combination with any required security code, access code, password, or other information that would permit access to an individual's financial account
      4. Account number, credit or debit card number, if circumstances exist that would permit such number to be used to access an individual's financial account without additional identifying information, security code, access code, or password; or
      5. Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or
    2. A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

      Certain "compliant regulated entities" subject to other data security requirements, such as those under the regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), will be considered to be in compliance with the data security requirements under the SHIELD Act. The SHIELD Act also includes some limited compliance relief for businesses that meet one of the following conditions:

      • Fewer than 50 employees;
      • Less than $3 million in gross annual revenue in each of the last three fiscal years; or
      • Less than $5 million in year-end total assets calculated in accordance with generally accepted accounting principles.

      Small businesses that meet one of the requirements above must still adopt reasonable and appropriate administrative, technical, and physical safeguards, but those safeguards may be designed to reflect the following:

      • Size and complexity of the business;
      • Nature and scope of the activities of the business; and
      • Sensitivity of the personal information that the business collects from or about New York residents.
  2. What are the required "reasonable" data security requirements under the SHIELD Act?

    The SHIELD Act does not mandate specific data security safeguards. Instead, the SHEILD Act provides the following examples of practices that, if implemented, will be deemed to be reasonable administrative, technical, and physical data safeguards:

    Administrative Safeguards
    • Designate one or more employees to coordinate the security program;
    • Identify reasonably foreseeable internal and external risks;
    • Assess the sufficiency of safeguards in place to control the identified risks;
    • Train and manage employees in security program practices and procedures;
    • Select service providers that can maintain appropriate safeguards and require those safeguards by contract; and
    • Adjust the security program, as needed, to reflect business changes or new circumstances.
    Technical Safeguards
    • Assess risks in network and software design;
    • Assess risks in information processing, transmission, and storage;
    • Detect, prevent, and respond to attacks or system failures; and
    • Regularly test and monitor the effectiveness of key controls, systems, and procedures.
    Physical Safeguards
    • Assess risks of information storage and disposal;
    • Detect, prevent, and respond to intrusions;
    • Protect against unauthorized access to or use of private information during or after collection, transportation and destruction, or disposal of information; and
    • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

    The SHIELD Act establishes a compliance floor. It does not assume that companies should only adopt the measures identified above to protect the confidentiality, security, and integrity of the personal information they maintain about New York residents. In addition to the safeguards outlined in the SHIELD Act, companies should consider adopting other safeguards, such as the following:

    • Data access management plans;
    • Data minimization programs;
    • Written data privacy and security policies and procedures that, among things, identify the penalties that will be imposed on employees and other individuals who violate the policies and procedures;
    • Physical facility security plans;
    • Written disaster recovery and business continuity plans, including periodic mock response practices;
    • Equipment and device inventory tracking;
    • Encryption and data loss prevention tools;
    • Written incident response programs, including periodic mock response practices;
    • Regular updating of antivirus and malware protections;
    • Two-factor authentication requirements; and
    • Record retention and destruction policies.
  3. What are the penalties for failing to comply with the data security requirements under the SHIELD Act?

    Although the SHIELD Act does not provide for a private right of action for violations, the New York Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. A court may impose a civil penalty of not more than $5,000 per violation of the reasonable data security requirements.

  4. What do companies need to do now to comply with the data security requirements under the SHIELD Act?

    Companies should not adopt a "privacy distancing" strategy, even if they are not subject to the data security requirements under the SHIELD Act. Companies should continuously assess and review both their data breach prevention and incident response plans and data security programs. Data breaches happen, but they are less likely to happen if a company has employed and maintains a comprehensive and agile data security program.

    Any company that holds the "computerized data which includes private information" of any New York resident, regardless of whether the company does business in New York, must comply the new data security requirements under the SHIELD Act, unless the company is required to comply with other specific data security requirements. Companies subject to the SHIELD Act should review their data security programs to identify the private information they collect about New York residents and, at a minimum, implement the security measures outlined in the SHIELD Act. It is time to get closer than six feet to the SHIELD Act.