The “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act went into effect in New York on March 21, 2020. The Shield Act requires businesses to implement safeguards with respect to “private information” of New York residents collected by a business and broadens New York’s security breach notification requirements.
A “covered entity” required to comply with the Shield Act includes any person or business which owns or licenses computerized data that includes “private information” of a resident of New York. “Private Information” is defined to include information of a natural person that could be used to identify the person (such as a name) that is collected in combination with another sensitive piece of data (e.g. a social security number; driver’s license number; credit card number; biometric data; e-mail address (if a password or security question and answer are also included)). This definition is typical of what is traditionally seen in a state breach notification statute but is much narrower than how personal information has recently been defined under the California Consumer Privacy Act and the EU’s General Data Protection Regulations.
Of important note, every employer with employees that are New York residents must comply with the Shield Act.
Implementing Reasonable Safeguards
Compliance requires a “covered entity” to implement reasonable security measures. The Shield Act does not mandate specific safeguards, but does provide that a “covered entity” will be deemed in compliance if it implements a data security program that includes all of the elements enumerated in the Shield Act, including:
Recommended Administrative Safeguards:
(a) Designating individual(s) responsible for security programs;
(b) Conducting a risk assessment process that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
(c) Training and managing employees in security program practices and procedures;
(d) Selecting capable service providers and requiring safeguards by contract; and
(e) Adjusting program(s) in light of business changes or new circumstances.
Recommended Physical Safeguards:
(a) Assessing risks of information storage and disposal;
(b) Detecting, preventing, and responding to intrusions;
(c) Protecting against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
(d) Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes.
Recommended Technical Safeguards:
(a) Assessing risks in network and software design;
(b) Assessing risks in information processing, transmission, and storage;
(c) Detecting, preventing, and responding to attacks or system failures; and
(d) Regularly testing and monitoring the effectiveness of key controls, systems, and procedures.
There are two exceptions to implementing reasonable safeguards:
- Illustrating compliance with the Gramm-Leach-Bliley Act; or
- If a “covered entity” is a “small business”, the implementation of reasonable safeguards should be made in consideration of the size and complexity of the small business, the nature and scope of the small business’s activities and the sensitivity of the private information the small business collects from or about consumers. “Small business” is defined as any entity with fewer than fifty employees, less than three million dollars in gross annual revenue, or less than five million dollars in year-end total assets.
Breach Notification Requirements
In the event of a “breach of the security of the system”, a covered entity must:
(a) Provide notice immediately following discovery to affected residents through one of the following methods: (a) written notice; (b) electronic notice, provided that explicit consent is acquired, and the consent was not required to enter into the transaction; (c) telephone notification; or (d) a substitute notification subject to restrictions.
(b) Notify the state attorney general, the department of state and the state office of information technology services as to the timing, content and distribution of the notices and approximate number of affected persons and provide a copy of the template of notice sent to affected persons.
“Breach of the security of the system” is defined under the Shield Act as unauthorized access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.
Penalties For Non-Compliance
- Data breach notification violations that are not reckless or knowing: Damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses.
- Knowing and reckless violations: The greater of $5,000 or up to $20 per instance with a cap of $250,000.
- Reasonable safeguard requirement violations: Not more than $5,000 per violation.
HOW TO PREPARE AND COMPLY
1. Develop Data Privacy and Security Policies and Procedures. Develop and implement sound, efficient and user-friendly data privacy and security policies and procedures to satisfy the administrative, physical and technical safeguards under the Shield Act.
a. A breach response policy and procedure should be adopted (or current drafts modified) to comply with the updated breach notification requirements set forth in the Shield Act.
b. To the extent that the “covered entity” has New York resident employees, ensure that all HR data is covered by the policies and that HR personnel receive procedural training.
2. Vendor Management and Due Diligence. Create, implement and follow a comprehensive vendor management program that governs the pass-through of data privacy and security compliance and requirements to all vendors. This program should govern not just IT providers, but more broadly be applied to all service providers who have access to, collect, transmit, store or in any other way process “person information”, including all HR related service providers.
3. Train, train, train. It is becoming standard for businesses to hold annual privacy and security training for all personnel who have access to “personal information”. At a minimum, “covered entities” should ensure that all IT and HR personnel are properly trained. All personnel who engage vendors on behalf of the “covered entity” should be aware of and trained on the business’s vendor management program.
As your business is developing and implementing a data privacy management program, reach out to a member of McGrath North’s Privacy and Cybersecurity Team with questions.