Understanding The New York SHIELD Act
The New York “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) goes into effect on March 21, 2020. The SHIELD Act requires all businesses that collect private information on New York residents to implement reasonable cyber security safeguards to protect that information. Everyone should become familiar with the law, as it applies to any employer, individual, or organization that collects private information on New York residents, as opposed to only businesses that operate within the state.
The SHIELD Act broadens two key definitions related to private information of New York residents: what private information includes, and what constitutes a security breach. In addition, the Act mandates increased security data protection requirements.
- Private Information: Under the Act, the definition of private information has been greatly expanded. In addition to personally identifiable information such as a person’s name and social security number, data such as bio metrics, usernames/email addresses in combination with a password, credit/debit card or account numbers (even without a security code, as long as an unauthorized person could gain access to the account with the given information) are now considered private.
- Security Breach: Prior to the Act, a breach was defined as “the unauthorized acquisition of computerized data.” That definition is now expanded to include unauthorized access of computerized data, whether or not acquisition has occurred.
Data Protection Requirements
Businesses will be required to develop, implement, and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data including , but not limited to, disposal of data. Following are the three categories of safeguards:
- Administrative Safeguards: these include designating one or more employees to coordinate a security program, assessing current procedures and safeguards, company-wide cyber security training, service provider selection, and identifying reasonable risk caused by external or internal agents.
- Technical Safeguards: these include risk assessments related to data storage and transmission systems, networks, information processing, and software. Also included in technical safeguards are identification, measurements, and responses to system failures, as well as testing and monitoring to ensure the effectiveness of key controls.
- Physical Safeguards: these include detection and response to any attempted intrusions, protections against unauthorized access to or use of private information, and information
disposal (including erasing electronic media to ensure information cannot be read or reconstructed).
Small businesses that meet a very narrow set of criteria may scale their data security programs in accordance with their size and the scope and nature of their business activities. The criteria for the exception are (a) the business has fewer than 50 employees; and (b) less than $3 million in gross revenues in each of the last three fiscal years, or less than $5 million in year-end total assets. Since most companies will exceed these thresholds, they will be required to implement a comprehensive plan.
In addition, businesses that are already regulated by other federal or New York data protection laws, such as HIPAA or the NYS Department of Financial Services, are considered in compliance with certain aspects of the SHIELD Act.
With the deadline only a few weeks away, it is imperative that your business assess whether current processes and procedures require updating.
For more information, please contact your Prager Metis advisor.