The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act (“the Act”) was enacted into New York State (“NYS”) Law in July of 2019. Major provisions of the law took effect in March of 2020. In case your attention was somehow divided around that time and you missed the news, this article will provide an overview of the SHIELD Act’s purpose, scope, who is subject to it, what it requires, and the potential consequences for being out of compliance.
The SHIELD Act aims to safeguard the online private information of New Yorkers by requiring businesses to notify anyone whose private information it stores anytime it suffers a cyber security breach. It also calls for preemptive safeguards to be put in place to avoid breaches occurring in the first place. The Act updates and amends the 2005 Information Security Breach and Notification Act to buttress previously applicable requirements and provide additional protections. It applies to most businesses that store the personal information of customers, employees, vendors, or anyone else.
What is Private Information?
If your business stores any “private information” of NYS residents, it is probably subject to the SHIELD Act’s requirements. The definition of private information is expanded to include that “which, because of name, number, personal mark, or other identifier, can be used to identify” the person it belongs to, stored in combination with any: biometric information (e.g., fingerprint, voice print, retina, or iris image), usernames or email addresses in combination with a passwords or security questions and answers, account numbers, credit/debit card numbers (with or without a security code), access codes, and passwords. Basically, the Act aims for any business that stores information that a malefactor could use to access New Yorkers’ sensitive accounts to be subject to its requirements.
Required Security Programs
The Act requires covered entities to have certain cybersecurity safeguards in place. These are referred to in the law as a “cybersecurity program.” Your cybersecurity program should be documented in a way that will allow you to demonstrate to a regulator or law enforcement officer that it exists. The cybersecurity program must protect the “security, confidentiality, and integrity” of individuals’ private information. It must include certain administrative, technical, and physical safeguards: identification of reasonably foreseeable internal and external risks; regular testing and monitoring the effectiveness of key controls, systems and procedures; and disposing of private information after it’s no longer needed for business purposes such that it cannot be read or reconstructed.
The Act requires that if a business experiences a data breach that compromises private information, it must disclose the breach to any New Yorker potentially affected. Disclosure must be made promptly once the business discovers the breach, in manner consistent with the legitimate needs of law enforcement.
The Act broadens the definition of a data breach to include any access or acquisition of computerized data that compromises the security, confidentiality, or integrity of private information. Examples of access include viewing, copying, or downloading private information. If your business suffers a breach, it must also notify the NYS Attorney General (“AG”), NYS Department of State, and the division of state police. If more than 5,000 NYS residents are affected, you must also notify the consumer reporting agencies as to the timing, content and distribution of the notices, and approximate number of affected persons. Entities required to give notice pursuant to the Health Insurance Portability and Accountability Act of 1996 or the Health Information Technology for Economic and Clinical Health Act are now also required to notify the AG.
The Act requires notice be provided in writing or over the phone. It can be emailed only if the individuals consented to email notification before the breach. Substitute methods of notice are allowed if the cost of providing notice would exceed $250,000, or the number of persons to be notified exceeds 500,000.
Some of the burdens imposed by the SHIELD Act are lessoned for “small businesses.” Under the Act, small businesses are those with less than 50 employees, less than $3 million gross revenue during each of the last three fiscal years, or less than $5 million total assets.
Small businesses are in compliance with the Act if their security program contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the scope of their business activities, and the sensitivity of the personal information being collected. What exactly this means is a question for judges to decide, but if your small business is in the business of storing private information, it would be wise to er on the side of a more proactive cybersecurity program.
If a business violates the SHIELD Act, the AG can seek injunctive relief (force compliance or shut down), restitution (compensation of victims), or penalties. Failing to provide timely notification can result in penalty up to $20 per instance of failed notification, that is, per individual you didn’t notify, up to $250,000. The penalty for failing to maintain reasonable safeguards is up to $5,000 per violation.
Your organization’s obligations with regard to the SHIELD Act are based upon its circumstance. Compliance can be facilitated by the advice of experienced legal counsel. Please feel free to reach out to attorneys Justin Furry or Christopher Baiamonte at the Wladis Law Firm at (315) 445-1700 with questions regarding anything in this article.
Justin S. Furry
Mr. Furry received his BBA from the University of Toledo and his JD from Syracuse University College of Law.