Effective March 21, 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act – which was enacted in July, 2019 (the “Act”)– will require businesses to implement safeguards to protect "private information" of individuals who are New York residents – including any New York employees. The Act previously implemented increased breach notification requirements, which took effect on October 23, 2019.
The Act defines "private information" to include personal information such as a name or other identifier in combination with:
- An individual’s social security number;
- Driver's license number;
- Certain financial account information together with information permitting access (e.g. password), unless no additional information is required for access;
- Biometric information used to authenticate or ascertain an individual’s identity;
- Username or e-mail address together with information permitting access (e.g. password); or
- Any unsecured protected health information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”) (collectively the “Data Elements”).
To the extent that personal information or the Data Elements are encrypted and, further, provided that the encryption key has not been accessed or acquired, they do not constitute “private information” for purposes of the Act.
The Act requires businesses to implement and maintain reasonable safeguards to protect private information, including developing and implementing a “data security program.” The data security program includes, among other elements, designating one or more employees to coordinate the program, assessing risks in network design, software design, and information processing and storage, and disposing of private information within a reasonable time after it is no longer needed for business purposes. The data security program must cover internal information, such as employee personnel data and human resources records, as well as any other “private information” a business may need to protect.
While the Act applies to all employers regardless of size, small businesses — defined as those having fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets — need only ensure that their data security safeguards are appropriate for the size and complexity of the business, the nature and scope of the small businesses' activities, and the sensitivity of the personal information the small business handles. The Act does not provide substantive guidance on what will be considered “appropriate” for these purposes. Additionally, companies subject to, and in compliance with, other legal and regulatory regimes, such as the Gramm-Leach-Bliley Act, HIPAA, and the NY Department of Financial Services Cybersecurity Regulation, are considered in compliance with the Act’s data security program requirements.
The Act does not contain a private right of action; instead, covered businesses are subject to enforcement by the New York Attorney General, with civil penalties for knowing and reckless violations of the previously-enacted breach notification obligations of up to $20 per instance with a cap of $250,000. Violations of the reasonable safeguard requirements may carry penalties of up to $5,000 per violation. The Act also lengthens the statute of limitations from two (2) years to three (3) years.
All businesses possessing “private information” of New York residents and/or having employees in New York should ensure that their data security programs and reporting mechanisms are prepared for the impact of the Act.