The New York “Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT), N.Y. Gen Bus. Law§ 899-bb, requires businesses that collect private information on New York residents to implement reasonable cybersecurity safeguards to protect that information. While this is a new law in the State of New York, New York is simply joining other states like California, Rhode Island, and Massachusetts in setting these type of standards (i.e. requirement for a written information security program (WISP)). New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing, and is set to go into effect on March 21, 2020. Notably, New York’s law covers all employers, individuals or organizations, regardless of location, that collect private information on New York residents.

Under the SHIELD Act, “private information” is defined as:

  • Any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
  • individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or,
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, the disposal of data.”

In order to achieve compliance, a business must implement a data security program that includes at least the following:

  • reasonable administrative safeguards that may include designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract, and a process for implementing adjustments to the security program based on business changes or new circumstances;
  • reasonable technical safeguards that may include risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and,
  • reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information, and disposal of information after a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

There is an exception for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets. These businesses may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected. There are also exceptions for entities that are covered by and in compliance with the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations–these organizations are deemed in compliance with the SHIELD Act.

Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 for each violation.

Parts of the breach notification portion of this law (i.e., N.Y. Gen. Bus. Law§ 899-aa) were amended as well but will not apply unless a data breach occurs after March 21, 2020. Some of those changes include adding biometric information and email address with a password to the definition of personal information; notification to the New York Attorney General within ten (10) days of discovery of a breach if the breach affects over 500 New York residents; and increased penalties for violations.

While March 2020 may seem too far in the future to take action now, your business should assess whether this law applies and whether any of its processes and procedures need updating or whether a WISP should be implemented if you don’t already have one in place.