New York’s SHIELD Act, a new data breach notification law

New York’s SHIELD Act, a new data breach notification law

New York’s Stop Hacks and Improve Electronic Data Security of SHIELD Act is a data breach notification law that amends previous laws of a similar nature in the state of New York and imposes further restrictions and data security requirements on companies who collect information from New York residents. The SHIELD Act was introduced and ultimately passed in March 2020 in response to a report conducted by the office of New York State Attorney General Eric. T. Schneiderman that showed the state of New York experienced a 60% increase in data breaches in 2016. By placing additional requirements on companies who process the personal information of New York state consumers, the SHIELD Act seeks to broaden the scope of consumer privacy and provide better protection to New York consumers from data breaches of their personal information.

Under the Shield Act, personal information can mean either of the following:

  • A username or email address that is used in combination with password or security question and answer that would permit access to an online account, or
  • Personal information that consists of any information in combination with any of the following data elements, when either the data element or the combination of both personal information and the data element is not encrypted, or is encrypted with an encryption key that has also been acquired or accessed. Social security number, drivers license or non-driver identification card number, account number, debit or credit card number, in combination with any access code, password, security code, or any other information that would permit access to an individual’s financial account. Account number, credit or debit card number, if circumstances exist where this information could be used to access an individual’s financial account without any further identifying information, passcode, access code, or security code, and biometric information.

What are the SHIELD Act’s requirements?

The SHIELD Act introduces significant changes to existing General Business Law 899aa including:

  • The law broadens the definition of “personal information”- The SHIELD Act expands on the definition of personal information to include biometric information, account numbers, access codes, debit and credit card numbers, email addresses, usernames, passwords, and security questions and answers.
  • The law expands the definition of a “breach”- Under General Business Law 899aa, a breach was defined as “unauthorized acquisition of computerized data”. Conversely, the SHIELD act defines a breach as “unauthorized access of a computerized data that compromises the security, confidentiality, or integrity of private information”.
  • The law also provides specific examples of unauthorized access and updates the procedures that businesses must follow in the event of a breach.
  • The law expands the territorial scope- General Business Law 899aa was limited to “parties that conducted business in New York”. Under the SHIELD Act, this scope is expanded to include any person or business that owns or licenses the private information of a New York resident. With this broadened definition, many companies who previously were not subject to General Business Law 899aa must now adhere to the SHIELD Act.
  • The law imposes new data security requirements- The SHIELD Act mandates that companies and business adopt reasonable safeguards to protect the security, confidentiality, and integrity of personal information. Businesses and companies are advised to implement a data security program that includes specific measures, risk assessments, employee training, vendor contracts, and timely data disposal. Moreover, it also requires business entities to designate an employee to oversee cybersecurity operations.

How do business entities maintain compliance with the SHIELD Act?

Business entities are considered to be in compliance with the SHIELD Act if they implement reasonable safeguards to prevent the leaking of a consumer’s personal data or information. This includes administrative, physical, and technical safeguards, and the law offers the following means by which to enact these safeguards and in turn ensure compliance:

  • Administrative safeguards- business entities are advised to carefully select vendors and set safeguards by contract, train employees in security program practices and procedures, designate a employee to be responsible for the security program, conduct risk assessments, and adjust security programs over time as the business changes.
  • Physical safeguards- business entities are advised to create systems to prevent, detect, and respond to physical intrusions, assess risks of information storage and disposal, dispose of personal information with a reasonable amount of time, and protect against the unauthorized access of private information at any point during the collection, transportation, or disposal of such information.
  • Technical safeguards- business entities are advised to identify risks in network and software design, identify risks in information storage, processing, and transmission, prevent, detect and respond to system failures and attacks, and monitor and test the effectiveness of system controls and procedures.

What are the penalties for violating the SHIELD Act?

Business entities who fail to maintain compliance with the SHIELD Act are subject to civil penalties totaling $5000 per violation. What’s more, businesses and companies are also subject to a $250,000 for not properly notifying the appropriate authorities in cases where data breaches occur. The SHIELD Act makes exceptions for small businesses that employ less than 50 people and generate less than 3 million in yearly revenue, but these businesses are still required to implement security measures in accordance with the size and scope of their operations. All violations of the SHIELD act are considered to be deceptive business practices and are enforced by the New York Attorney General.

New York’s state’s SHIELD Act is one of the many online data privacy laws to be passed within the U.S. in recent years. As the personal information of consumers is being collected via the internet more than ever before, state legislation such as the SHIELD Act is growing increasingly necessary across the country. While the U.S. has yet to pass a federal level general consumer data privacy law, such legislation is undoubtedly on the horizon. With the SHIELD Act, New York state consumers are one step closer to having their personal information and data protected at all times when using the internet.