On March 21, 2020, the data security requirements of New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) take effect. Under this Act, all companies that collect private, personal information about New York residents must implement safeguards to protect the security, confidentiality, and integrity of such information. The SHIELD Act applies even to companies not located in New York.

Data Security Requirements Generally

Although many companies already have data security programs in place, companies should review their programs to ensure compliance with the SHIELD Act, which for companies not considered small businesses involves implementing the following safeguards.

Reasonable Administrative Safeguards

  • Designate one or more employees to coordinate the security program.
  • Identify reasonably foreseeable internal and external risks.
  • Assess the sufficiency of safeguards in place.
  • Provide employee training and management on security program practices and procedures.
  • Select service providers capable of maintaining appropriate safeguards and require those safeguards by contract.
  • Adjust its security program in light of business changes or new circumstances.

Reasonable Technical Safeguards

  • Assess risks in the design of its network and software for managing private, personal information.
  • Assess risks in its information processing, transmission, and storage of private, personal information.
  • Detect, prevent, and respond to attacks against or failures of its network and software for managing private, personal information.
  • Regularly test and monitor the effectiveness of key controls, systems, and procedures pertaining to private, personal information.

Reasonable Physical Safeguards

  • Assess the risks of its methods for storage and disposal of private, personal information.
  • Detect, prevent, and respond to intrusions into physical property that contains private, personal information.
  • Protect against unauthorized access to or use of private, personal information during or after the collection, transportation, and destruction or disposal of the information.
  • Dispose of private, personal information within a reasonable time after it is no longer needed for business purposes.

Data Security Requirements for a Small Business

The SHIELD Act imposes fewer requirements on a small business, defined as any person or business with (i) fewer than 50 employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets. A small business’s security program need only contain appropriate safeguards for the size and complexity of the business, the nature and scope of the business’s activities, and the sensitivity of the private, personal information that the business collects.

Limitations on Scope and Enforcement

Compliance with other privacy laws, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act, New York’s cybersecurity regulations, or any other federal or New York data security laws, exempts a business from the data security requirements of the SHIELD Act.

The Attorney General of New York enforces the SHIELD Act and can seek either injunctive or civil penalties of up to $5,000 for each violation. The SHIELD Act does not permit individuals to sue for what they consider violations.