What You Need to Know About the SHIELD Act in New York
What You Need to Know About the SHIELD Act in New York
Updated: 2021 Mar. 2
Data breaches occur far too often. As a result, many states are passing laws that impose stricter cybersecurity obligations on businesses. New York recently became one of those states with the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act, which requires businesses that collect private information about New York residents to implement reasonable administrative, technical and physical security measures that meet certain standards. The Act, which will have a much broader impact than previous federal and state laws, was signed into law on July 26, 2019, and takes effect March 21, 2020. To prepare, businesses must understand their obligations.
CHANGES IN NEW YORK LAW
The SHIELD Act amends and adds to New York’s existing breach notification law in several ways, such as:
- “Private information.” The Act broadens the definition of “private information” to include personal information combined with one or more non-encrypted data elements, such as driver’s license or non-driver ID card numbers; social security numbers; and certain account, credit or debit card numbers, including those without security or access codes. Other examples of non-encrypted data elements include biometric information (g., a fingerprint, voice print, retina or iris image, or other unique physical or digital representation used to authenticate or ascertain an individual’s identity) and usernames or e-mail addresses, together with any passwords or security questions and answers, that would permit access to an online account.
- “Breach.” The Act also broadens the meaning of “breach,” which is now defined as unauthorizedaccess of computerized data that jeopardizes individuals’ private information, security or confidentiality. Previously, a “breach” was limited to the unauthorized acquisition of computerized data.
- The Act adds that when a breached business transmits a breach notification to affected individuals, it must do so without delay, and the notice must describe the types of information exposed as a result of the breach and include the contact information of the proper state and federal agencies, namely those that provide information on identity theft detection and prevention and security breach response.
- Territorial scope. The Act applies to any business that collects private information about New York residents. Previously, the law applied only to companies that conducted business in New York.
- Businesses that fail to comply with the Act face higher penalties. The New York State Attorney General can seek $20 per failed notification (up from $10 under prior law) with a maximum penalty of $250,000 (up from $100,000).
IMPACT ON CONSUMERS
The SHIELD Act does not provide for a private right of action, so consumers cannot sue a company for failing to comply with the Act. However, the New York Attorney General can bring an action against a business, as well as impose stiff penalties—a strong incentive for businesses to comply. Ultimately, consumers benefit from enhanced data protection efforts. For example, the Act’s requirement that breached businesses issue a prompt notice to consumers allows consumers to change passwords, close accounts, institute credit report monitoring and take other immediate action to protect themselves. In addition, New York residents have these same protections even if a breach occurs in a company that is located outside of New York because, as discussed above, the Act applies to any business that collects private information about New York residents.
IMPACT ON EMPLOYERS/BUSINESSES
The SHIELD Act’s implementation affects many companies across the U.S. and internationally. Affected businesses should take the following steps:
- Review data security policies, procedures, and technology. The Act requires that companies implement various administrative, technical and physical safeguards to protect their data and prevent security breaches. Such safeguards may include conducting risk assessments, designating at least one employee to implement and monitor a security program, regularly monitoring and testing security systems, selecting capable vendors, securely and timely disposing of sensitive private information and other actions set forth in the law.
- Update HR policies and training. Employers should instruct employees on the importance of properly securing customer information both internally and externally. Employers should also educate employees on when the SHIELD Act applies, how to handle customers’ private information, procedures related to breach notification, and data retention and disposal policies.
- Vet data security of third parties. When entering into a third-party contract with a vendor who might handle consumers’ private information, businesses should make sure that the vendor also maintains data safeguards under the SHIELD Act and, to mitigate any potential liability, include data security provisions in the contract.
Note that small businesses—businesses with fewer than 50 employees or less than $3 million in gross annual revenue—are held to a less stringent standard and may tailor their data safeguards based on the size and nature of their business and the sensitivity of the private information it handles. If you have questions about compliance with the SHIELD Act, consult an experienced business and employment attorney for advice.