Breach Notification in New York: The SHIELD Act
On July 25, 2019, New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which amends the state’s breach notification law in order to “impose stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach.” The breach notification amendments took effect in October 2019, while the data security requirements will take effect on March 21, 2020.
New York’s Commitment to Data Security, Privacy, and Breach Notification
As one of the technology epicenters of the world, there is a dire need for New York to position itself has a leader in data security, privacy, and breach notification. Over the last two years, we’ve seen New York make progress by placing a focus on cybersecurity via the Cyber NYC initiative and emphasizing vendor management and cybersecurity through the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23. But, New York’s data security, privacy, and breach notification laws have still fallen short considering the type of controls needed to secure businesses and the type of data privacy laws other states are working to implement. Considering this, the most recent move by Governor Cuomo to implement the New York SHIELD Act is a clear indication that New York is committed to establishing and enforcing protective measures for New York consumers’ private information.
What is the New York SHIELD Act?
Born out of the need for stricter breach notification laws, the SHIELD Act makes it a requirement that entities who collect, handle, use, or store the personal or private information of New York residents must have robust data security measures and must report breaches within a timely manner. Ultimately, according to the New York State Senate, the SHIELD Act has three main intentions:
- To broaden the scope of information covered under New York’s breach notification law and update requirements
- To broaden the definition of a data breach
- To require reasonable data security, provide standards tailored to the size of a business, and provide protections from liability for certain entities
How Does the SHIELD Act Impact Your Organization?
Similar to the California Consumer Privacy Act (CCPA), the New York SHIELD Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that businesses who have just one set of data from a New York resident or employee are privy to the requirements of the law. In other words, the SHIELD Act does not only apply to businesses who physically do businesses within the borders of New York – it is far-reaching and will likely have a nationwide and global impact.
How to Comply with the SHIELD Act?
The SHIELD Act requires that organizations, at a minimum, do the following:
Implement reasonable administrative safeguards
According to § 899-bb(2)(b)(ii)(A), organizations can do this by:
- Designating one or more employees to coordinate the security program
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of safeguards in place to control the identified risk
- Training and managing employees in the security program practices and procedures
- Verifying that the selection of service providers can maintain appropriate safeguards and requiring those safeguards by contract
- Adjusting the security program in light of business changes or new circumstances
Establish reasonable technical safeguards
According to § 899-bb(2)(b)(ii)(B), organizations can do this by:
- Assessing risks in network and software design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to attacks or system failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Create reasonable physical safeguards
According to § 899-bb(2)(b)(ii)(C), organizations can do this by:
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
Cost of Non-Compliance
In today’s data-driven world, the cost of a data breach can be detrimental to a business, especially medium and small-sized businesses. If data security and privacy isn’t made a priority from the start, compliance and security issues may later be the downfall of a seemingly secure, successful company. When a data breach occurs, there are endless impacts to not only the entity that was hacked, but potential vendors, partners, and most importantly, the consumers. Because Governor Cuomo understood that adequate breach notification is such a vital part of breach recovery, the SHIELD Act explains that if entities fail to comply, the New York State Attorney General can seek up to $250,000 for violations by a company.
Data breaches are only a matter of when not if they’ll occur, which means that it is imperative that organizations have a thorough breach notification strategy in place. But more often than not, organizations fail to do this and can incur costly fines and penalties for their negligence, like with Uber’s infamous data breach cover-up. Consumers have the right to know when their personal and private information has been compromised by malicious individuals, and businesses must be sure to ensure those rights are given. The SHIELD Act is one way New York is making sure this happens.
If your organization has to comply with the latest New York breach notification law or you’re in need of guidance for creating your own breach notification strategy, let’s find some time to talk!