Picture of New York times square showing the requirements of data security provisions under New York SHIELD Act

Welcome to New York, Its Been Waiting for You … But Is Your Business Ready for the New York SHIELD Act?

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which was signed into law on July 25, 2019, added important new requirements for businesses and organizations to develop and implement a data security program to safeguard the private information of New York residents. While some of the SHIELD Act’s provisions went into effect on October 23, 2019, the data security provisions took effect on March 21, 2020.

What businesses are subject to the SHIELD Act?

The SHIELD Act applies to any business that owns, stores, processes, or licenses “computerized data” which includes the “private information” of New York residents.  Importantly, the SHIELD Act applies to every business that owns, stores, processes or licenses the private information of New York residents even if that business does not have operations or employees in New York.

The broad reach of the SHIELD Act’s data security requirements is especially impactful on unregulated industries, such as the real estate industry, and non-profit organizations, which were not previously required by law to adopt cybersecurity-related programs. For example, a real estate management company that maintains New York tenant information is now required to develop an extensive data security program to protect the data of those tenants. Similarly, a California non-profit that accepts donations from New York residents would also be subject to the requirements of the SHIELD Act.

What is private information?

Under the Act, “private information” means either:

(i)    unencrypted personal information consisting of any information in combination with any of the following data elements: (1) Social Security number; (2) driver’s license number or other identification card number; (3) account, credit or debit card number, in combination with any other information that would permit access to an individual’s financial account; (4) account, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account without additional information; or (5) biometric information; or

(ii)  a user name or email address in combination with a password or security question and answer that would permit access to an online account.

What are the data security requirements?

The SHIELD Act mandates that a business develop, implement and maintain a data security program that includes three types of safeguards to protect the security, confidentiality and integrity” of New York residents’ data:

(i)            Administrative Safeguards.  The data security program must include reasonable administrative safeguards such as the following: designating responsible employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, assessing current safeguards’ ability to control or mitigate the identified risks, training employees on the security program and its procedures, selecting service providers that can and will maintain safeguards, and adjusting security programs to account for business and external changes.

(ii)          Technical Safeguards.  The data security program must include reasonable technical safeguards such as the following: assessing network/software design risks; assessing risks relating to processing, transmitting and storing data; detecting, preventing and responding to attacks or system failures; and testing and monitoring the effectiveness of key controls, systems and procedures.

(iii)        Physical Safeguards.  The data security program must include reasonable physical safeguards such as the following: assessing information storage and disposal risks; detecting, preventing and responding to intrusions; protecting against unauthorized access to or use of private information during or after the collection, transportation or disposal of the information; and disposing of private information once it is no longer reasonably needed for business purposes in such a way that it cannot be read or reconstructed.

The SHIELD Act’s requirements are slightly lessened for “small businesses” – allowing them to adopt reasonable administrative, technical and physical safeguards that are appropriate based on the business’s size, nature and scope of its activities and the sensitivity of the data the business collects from or about New York residents. Most businesses, however, are likely to exceed the low thresholds for a “small business” – fewer than 50 employees, less than $3 million in gross annual revenue in the past three years, or less than $5 million in year-end total assets.  As such, even moderately sized businesses will likely be required to develop and implement an extensive data security program.

Finally, businesses that already are regulated by, and compliant with, any other federal or New York data security law (such as the cybersecurity regulations of the New York State Department of Financial Services, the Gramm-Leach-Bliley Act or HIPAA) are deemed compliant with the data security requirements of the SHIELD Act.

What is a business’s potential exposure for failure to comply?

Failure to comply with the SHIELD Act’s data security provisions is deemed a violation of New York General Business Law § 349 – which makes deceptive acts or practices in the conduct of business unlawful.  The New York Attorney General is authorized to bring an action to enjoin violations of the SHIELD Act and to obtain civil penalties of up to $5,000 for each violation.  The SHIELD Act, however, specifically states that its data security requirements create no private right of action for any violations.

What are the best practices for beginning the compliance process?

The March 21, 2020 deadline is quickly approaching.  In order to meet that deadline, businesses should prioritize:

  • Reviewing their information security programs to assess the “private information” they collect and evaluate their existing safeguards against the SHIELD Act’s data security requirements.
  • Adopting a business-wide data security program that is compliant with the SHIELD Act’s requirements.
  • Appointing a Chief Privacy Officer (CPO), Chief Information Security Officer (CISO) or another employee who is tasked with overseeing the data security program.
  • Conducting diligence on all third-party vendors to ensure that they have appropriate data security controls.  All contracts should be reviewed to confirm that their provisions obligate the vendors to meet the SHIELD Act’s data security standards.
  • Implementing regular training on cybersecurity and the data security program and procedures for all new and current employees.