Prepare the Battlements! What Businesses Need to Know About the NY SHIELD Act

As security risks continue to be at the forefront of legislators’ agendas across the country, New York has joined the growing roster of states pressing businesses to develop more robust breach procedures. Originally proposed in the 2017-2018 session, New York’s newly passed Stop Hacks and Improve Electronic Data Security (SHIELD) Act bolsters existing data breach notification requirements and enhances the security requirements imposed by businesses.

Changes to the Breach Notification Analysis in New York

The SHIELD Act updates New York law breach requirements by, most notably, (i) expanding the definition of “private information” that would trigger breach notification, (ii) giving insight into when information may have been “accessed,” (iii) excluding from the notice requirements instances in which the exposure of private information was an inadvertent disclosure by persons authorized to access private information and the business reasonably determines that exposure will not result in misuse of such information or financial/emotional harm, and (iv) increasing civil penalties up to $20 per instance of failed notification (not to exceed $250,000).

What information triggers notification?

The trigger for a breach notification under the SHIELD Act is the acquisition or access to “private information” of a New York resident. In the past, New York breach laws required notification if a breach involved (i) any personally identifiable information with (ii) an individual’s Social Security number, driver’s license or identification number, or financial account number (with a security code or password). “Private Information” now also includes:

  • Biometric Information, including fingerprints, voice prints, retina or iris images, or other unique physical representations used to authenticate an individual’s identity;
  • A username or email address in combination with a password or security question and answer that would permit access to an online account; and
  • Financial account numbers, when the number alone can be used to access an account (i.e., security code or password no longer needed to qualify the financial account number as “private information”).

Additionally, even if the type of data breached is not considered “personal information” under the SHIELD Act, HIPPA entities must report to the New York State Attorney General if HIPPA regulations would require the entity to report the breach to the Secretary of Health and Human Services.

The Nature of the Incident is Also Important to the Analysis

Cybersecurity practitioners are also well trained to look beyond the information that is at issue, and to also consider the nature of the incident. It is important to pause here and note that the SHIELD Act has also expanded the activity that is considered a data breach. It includes not only the acquisition of data, but also “access” to it. Factors that may be considered when evaluating whether a data breach has occurred include “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an authorized person,” such as an unauthorized person gaining physical possession and control of a lost computer or device.

In addition, the SHIELD Act excludes from the notice requirements instances in which the exposure of private information was an inadvertent disclosure by persons authorized to access private information and the business reasonably determines that exposure will not result in misuse of such information or financial/emotional harm. This is a very helpful element, as many incidents involve this exact fact pattern.

Enhancements to Security Requirements

The true “shield” in the SHIELD Act is encompassed in the new security requirements imposed upon businesses that own or license computerized data which includes private information of New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” A business is compliant if it implements a security program that includes the following:

  • Reasonable administrative safeguards such as—
    • Designating one or more employees to coordinate the security program;
    • Identifying reasonably foreseeable internal and external risks;
    • Assessing the sufficiency of safeguards in place to control the identified risks;
    • Training and managing employees in the security program practices and procedures;
    • Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
    • Adjusting the security program in light of business changes or new circumstances.
  • Reasonable technical safeguards such as—
    • Assessing risks in network and software design;
    • Assessing risks in information processing, transmission and storage;
    • Detecting, preventing and responding to attacks or system failures; and
    • Regular testing and monitoring of the effectiveness of key controls, systems and procedures.
  • Reasonable physical safeguards such as—
    • Assessing risks of information storage and disposal;
    • Detecting, preventing and responding to intrusions;
    • Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
    • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Practical Tips

We recommend reviewing existing privacy and security policies to ensure they are in line with this new guidance. Some helpful steps for organizations include the following:

1. Determine whether the SHIELD Act applies to your business (though businesses outside of the SHIELD Act’s reach may still benefit from a review of the detailed safeguards listed above to evidence a well-functioning, reasonable breach response system).

  • Do you have the data of any resident of New York?
  • Do any of the types of data fit into the new definition of “private information” under the SHIELD Act?
  • What are the data breach notification procedures being used?

2. Review the current policies and administrative safeguards in place.

  • What are the data breach notification procedures being used?

3. Evaluate the administrative, technical, and physical infrastructure in place. Consider adjusting the current administrative, technical, and physical safeguards to incorporate the specific elements outlined in the SHIELD Act.

  • Do the current safeguards include the above mentioned methods per the SHIELD Act?
  • Can the current systems detect when and where breaches have occurred?

4. In the event of a breach, determine how (i) individuals can report inadvertent disclosures, and (ii) how your business will decide whether an exposure does, or does not, result in misuse or financial/emotional harm.

5. Inform all relevant stakeholders and prepare relevant parties to implement any necessary adjustments by the SHIELD Act’s effective dates: March 21, 2020 for data security requirements and October 23, 2019 for the breach notification provisions.

Continue Reading