The New York State SHIELD law is a data protection act passed in July 2019. However, the NY SHIELD Act effective date was March 2020. It focuses on provisions for effective safeguards regarding computerized data of personal information.
The Stop Hacks and Improve Electronic Data Security Act, also known as the NY SHIELD Act, requires businesses to adopt security programs to reduce risks of a data breach.
The NY SHIELD Act introduced a number of amendments, including:
The New York State Shield Act broadened the definition of the term “private information” to include biometric information and username or email address in combination with a password or security questions and answers. Personal information also includes an account number or credit card number, even without a security code, access code, or password if the account can be accessed without this information.
The Act expanded the definition of the term “breach of the security of the system” to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of personal information. It also offers sample indicators of access. Before this expanded definition, a breach was defined only as the unauthorized acquisition of computerized data.
Companies need to follow best practices to make sure that they are in compliance with the SHIELD Act, including:
Adopting a company-wide Cybersecurity Program, compliant with the NY SHIELD Act requirements
Appointing a Chief Information Security Officer, or CISO, or other individual tasked with overseeing the Cybersecurity Program
Conducting diligence on all third-party vendors to ensure that they have appropriate cybersecurity-related internal controls
Onboarding and periodic cybersecurity training should be scheduled for all current and new employees
Under the NY SHIELD Act summary, the SHIELD Act mandates that companies create, implement, and maintain reasonable safeguards to protect the integrity, confidentiality, and security of New York residents’ data in three different ways:
The Cybersecurity Program needs to have administrative safeguards like designating one or more employees to coordinate the Cybersecurity Program, assessing internal and external data security-related risks, and the sufficiency of safeguards in place to control the identified risks. Safeguards also include training and managing employees in the cybersecurity practices, selecting vendors capable and obligated to meet standards, and adjusting the program in light of changes and new circumstances.
The program must implement technical safeguards, like assessing data security-related risks of network and software design and information processing, transmission, and storage. They must also detect, prevent, and respond to attacks or system failures and test and monitor the effectiveness of controls, systems, and procedures.
The program must implement physical safeguards, like assessing risks of information storage and disposal, detecting, preventing, and responding to intrusions, protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information, and disposal of private information within a reasonable amount of time after it is no longer needed.
Wondering if the SHIELD Act applies to your business? Here’s what you need to know:
Any person or business that owns or licenses computerized data is required to adopt a Cybersecurity Program. This computerized data includes the private information of New York residents, including biometric data, unsecured health information, financial account numbers, and email addresses with corresponding passwords or security questions and answers. This can possibly affect all New York businesses, as well as businesses in other states that have access to the data of New York residents.
The SHIELD Act typically does not apply to health information. Still, covered entities and business associates subject to the privacy and security rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) need to be aware of the SHIELD Act.
The New York data security act eases particular regulatory burdens on small businesses, enabling them to adopt reasonable administrative, technical, and physical safeguards that are appropriate based on the size and complexity of the business and the sensitivity of the data. Since a small business is defined as a business with fewer than 50 employees, less than $3 million in gross annual revenue in the past three years, or less than $5 million in year-end total assets, most companies exceed these thresholds.
Businesses that are already compliant with specific federal or New York data protection regimes are considered compliant with certain parts of the SHIELD Act.
All other businesses must create, implement, and maintain reasonable safeguards to protect the security, integrity, and confidentiality of New York residents’ data.
For data breach notification violations that are not reckless or knowing, a court can award damages for actual costs or losses incurred by a personal entitled to notice. For knowing and reckless violations, a court can impose penalties of up to $5,000 or $20 per instance with a cap of $250,000, whichever is greater. For reasonable safeguard requirement violations, a court can impose penalties of up to $5,000 per violation.
If you want to learn more about the NY SHIELD Act, including compliance best practices, contact Delphix.