Data Security Requirements Under New York SHIELD Act

On July 25, 2019, New York State Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act). The SHIELD Act amends New York’s General Business Law and is an expansion of New York’s existing cyber security and data breach notification laws. The act was updated to keep pace with individual use and dissemination of private information.

The SHIELD Act is designed to broaden the definition of data breaches to include unauthorized access to private information as well as expand the scope of information subject to the current data breach notification law to include biometric information (physical characteristics that verify an individual’s identity, i.e. fingerprint) and email addresses and their corresponding password or security questions with answers. Learn more about the SHIELD Act’s new requirements here.

The SHIELD Act requires that businesses that handle personal information of New York State residents’ must have “reasonable safeguards” in place to “protect the security, confidentiality, and integrity” of that information. If collecting New York residents’ information electronically, there must be reasonable security measures to protect that data. Businesses are “deemed in compliance” with the statute’s requirements to “implement and maintain reasonable safeguards” if:

1. Business complies with of a list of regulatory frameworks including:

a. Health Insurance Portability and Accountability Act (HIPAA)

b. Gramm-Leach Bliley Act (GLBA)

c. New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500)

d. Any other data and security rules and regulations administered by a federal or New York State government department, division, commission, or agency.

2. Business implements a data security program that includes specific elements.

Alternatively, an entity’s data security program can be deemed in compliance with the statute’s requirements if it includes:

1. Reasonable Administrative Controls

  • Designates one or more employee to coordinate the security program
  • Identifies reasonably foreseeable internal and external risks
  • Assesses the sufficiency of safeguards in place to control the identified risk
  • Trains and manages employees in the security program practices and procedures
  • Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
  • Adjusts the security program in light of business changes or new circumstances (e.g., COVID-19 / remote workforce)

2. Reasonable Technical Controls

  • Assesses network and software design risks
  • Assesses risk in data processing, transmission, and storage
  • Incident detection and response
  • Regular testing and monitoring of key controls and systems

3. Reasonable Physical Controls

  • Assesses risks of information storage and disposal
  • Detects, prevents, and responds to intrusions
  • Protects against unauthorized access to or use of privacy information during or after the collection, transportation, and destruction or disposal of the information
  • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes

Reasonable cybersecurity posture will use measures to mitigate risks and will have a plan designed in the case of a breach or unauthorized access to data held.

Failure to comply with these data security requirements will be deemed a violation of the state’s prohibition on deceptive acts and practices. The New York Attorney General may pursue civil penalties of up to $5,000 per violation under the New York General Business Law Section 350-d. However, data security provisions do not create a private right of action.

In light of the SHIELD Act and many of the changes prompted by the COVID-19 pandemic, businesses should perform a thorough audit and assessment of their data security practices, including their physical, administrative, and technical controls. Beckage works with clients of various sizes and complexities to review their current policies and procedures in place, governance matters, and navigate questions about the technical safeguards and controls that are in place. Beckage can perform a Rapid Risk Assessment, done under privilege, to uncover things that need to be remediated and help implement a proactive plan to address the SHIELD Act as well as any related data privacy legislation. Our team can help you better understand the legal implications surrounding the cyber security of personal information and the legal repercussions that follow suit.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.