Top 4 Questions on the Reasonable Data Security Requirements under New York's SHIELD Act

New Data Security Requirements were Effective March 21, 2020

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law by Governor Andrew Cuomo of New York on July 25, 2019. The SHIELD Act amended the state’s existing data breach notification law by expanding the definitions of “private information” and “breach of the security of the system” and broadening the territorial scope of the notification requirements. The SHIELD Act also added new “reasonable” data security requirements. The data breach-related amendments were effective on October 23, 2019 and the data security requirements were effective on March 21, 2020.

The latter deadline may not have been high on the radar of some companies as they grappled with pandemic-related issues. It may now be time to focus on these new data security requirements. Companies subject to the SHIELD Act should ensure that all required data security safeguards are in place and that they remain vigilant against cyber threats, including coronavirus-themed malware, ransomware, and phishing attacks attempting to exploit new work from home arrangements and other disruptions in business operations caused by the pandemic.

1. What businesses are subject to the data security requirements under the SHIELD Act?

   The SHIELD Act requires any person or business that owns or licenses computerized data that includes the private information of any New York resident to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information, including, but not limited to, the disposal of data. The term “private information” is broadly defined to include either:

2. What are the required “reasonable” data security requirements under the SHIELD Act?

   The SHIELD Act does not mandate specific data security safeguards. Instead, the SHEILD Act provides the following examples of practices that, if implemented, will be deemed to be reasonable administrative, technical, and physical data safeguards:

Administrative Safeguards

• Designate one or more employees to coordinate the security program;
• Identify reasonably foreseeable internal and external risks;
• Assess the sufficiency of safeguards in place to control the identified risks;
• Train and manage employees in security program practices and procedures;
• Select service providers that can maintain appropriate safeguards and require those safeguards by contract; and
• Adjust the security program, as needed, to reflect business changes or new circumstances.

Technical Safeguards

• Assess risks in network and software design;
• Assess risks in information processing, transmission, and storage;
• Detect, prevent, and respond to attacks or system failures; and
• Regularly test and monitor the effectiveness of key controls, systems, and procedures.

Physical Safeguards

• Assess risks of information storage and disposal;
• Detect, prevent, and respond to intrusions;
• Protect against unauthorized access to or use of private information during or after collection, transportation and destruction, or disposal of information; and
• Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

The SHIELD Act establishes a compliance floor. It does not assume that companies should only adopt the measures identified above to protect the confidentiality, security, and integrity of the personal information they maintain about New York residents. In addition to the safeguards outlined in the SHIELD Act, companies should consider adopting other safeguards, such as the following:

• Data access management plans;
• Data minimization programs;
• Written data privacy and security policies and procedures that, among things, identify the penalties that will be imposed on employees and other individuals who violate the policies and procedures;
• Physical facility security plans;
• Written disaster recovery and business continuity plans, including periodic mock response practices;
• Equipment and device inventory tracking;
• Encryption and data loss prevention tools;
• Written incident response programs, including periodic mock response practices;
• Regular updating of antivirus and malware protections;
• Two-factor authentication requirements; and
• Record retention and destruction policies.

1. What are the penalties for failing to comply with the data security requirements under the SHIELD Act?

   Although the SHIELD Act does not provide for a private right of action for violations, the New York Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. A court may impose a civil penalty of not more than $5,000 per violation of the reasonable data security requirements.

2. What do companies need to do now to comply with the data security requirements under the SHIELD Act?

   Companies should not adopt a “privacy distancing” strategy, even if they are not subject to the data security requirements under the SHIELD Act. Companies should continuously assess and review both their data breach prevention and incident response plans and data security programs. Data breaches happen, but they are less likely to happen if a company has employed and maintains a comprehensive and agile data security program.

Any company that holds the “computerized data which includes private information” of any New York resident, regardless of whether the company does business in New York, must comply the new data security requirements under the SHIELD Act, unless the company is required to comply with other specific data security requirements. Companies subject to the SHIELD Act should review their data security programs to identify the private information they collect about New York residents and, at a minimum, implement the security measures outlined in the SHIELD Act. It is time to get closer than six feet to the SHIELD Act.