21 April 2020
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is a data security law passed by the New York Senate in mid-2019. The law comes in response to an increasing number of high-profile cyber attacks.
The SHIELD Act requires that businesses set up a "Data Security Program" to monitor and improve cybersecurity. Businesses must also implement "reasonable safeguards" to ensure that private information is stored and erased safely. The Act requires businesses to notify their customers of data breaches, and it imposes large fines if they fail to do so.
If your business holds the personal or private information of any New York residents (even if it's based outside of New York), you must take steps to comply with the SHIELD Act. Let's take a look at what the law means for you.
The SHIELD Act is a major overhaul of New York's existing data security law. It introduces some new concepts and definitions and grants new powers to the New York Attorney General.
Stronger privacy, data protection, and cybersecurity laws are being passed all over the world. The law is playing catch-up with increasingly sophisticated hackers, lax data management, and intrusive privacy practices. The New York SHIELD Act is part of this movement.
The SHIELD Act essentially imposes two broad obligations:
Each of these obligations is made up of specific rules and requirements. Businesses are accountable for assessing and mitigating risk, and for responding proactively to a data breach.
The duties under the SHIELD Act extend to any person or business which owns or licenses the private information of New York residents. We'll be looking at the definition of "private information" below.
State laws increasingly target businesses who "operate in" or "promote goods and services" to residents of the state in which the law is passed. Examples include the California Consumer Privacy Protection Act (CCPA) and the proposed New York Privacy Act (NYPA).
The SHIELD Act is even broader. To be covered by the Act, you merely need to be holding the private information of New York residents.
Your business probably holds personal or private information from people in multiple countries or across multiple US states. You may choose to segregate New York residents' data. Or you may choose to apply SHIELD standards to all of the private information your company holds.
In either case, it's important to know the origin of all the personal information you hold. In the event that you suffer a data breach, you'll need to tell the New York Attorney General how many New York residents were affected.
The Act distinguishes between "personal information" and "private information."
Personal information is: "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person." This is data that could identify a person directly.
Private information is a little more complicated. There are three types of private information.
Type I private information is a piece of personal information, combined with one or more of the following "data elements":
The data element, or the personal information/data element combination, must be either:
Let's compare some examples of personal information and type I private information to put this in context:
Personal Information | Type I Private Information |
Name | Name plus social security number (unencrypted) |
Name (encrypted) plus credit card number (encrypted) | Name (unencrypted) plus credit card number and PIN (unencrypted) |
Name (encrypted or unencrypted) plus driver's license number (encrypted) | Name (encrypted or unencrypted) plus driver's license number (unencrypted) |
Name (encrypted or unencrypted) plus social security number (encrypted) | Name (encrypted or unencrypted) plus social security number (encrypted, but the encryption key has been accessed) |
Type II private information is a username or email address together with a corresponding password or security question and answer.
Type III private information is any health information as defined in the Health Insurance Portability and Accountability Act (HIPAA), if it's held by an entity covered by that act.
Private information doesn't include information lawfully made available to the public via local, state or federal government records.
The SHIELD Act will be enforced by the New York Attorney General. The Attorney General can take action in court against a business if the business violates certain parts of the Act.
The Attorney General must act within three years of becoming aware of a violation (including where the business notified the Attorney General of the breach directly).
Fines can be issued under the Act issued where a business has failed to properly notify people affected by a data breach. The fines will be a civil penalty of either:
The Attorney General will issue whichever of these two penalties is greater.
The SHIELD Act sets out rules about how you assess risk and keep data secure.
If your business owns or licenses the private data information of any New York resident, you must set up a "data security program."
The SHIELD Act sets out six things you must do in order to have a valid data security program:
If your business owns or licenses the private information of any New York resident, you must have reasonable safeguards in place to protect and dispose of the information.
The SHIELD Act lists four technical safeguards. You must:
The SHIELD Act lists four physical safeguards. You must:
If a data breach occurs, the SHIELD Act requires a business to communicate directly with the people who have been affected by the data breach, and also to inform public authorities with the appropriate type of data breach notice.
Rather than "data breach," the SHIELD Act uses the term "breach of the security of the system." This can cover situations where a system has been compromised but it isn't clear whether data has been accessed or acquired. We'll be using the term "data breach" throughout this article.
A data breach is where a person without proper authorization accesses or acquires computerized data. The computerized data could compromise the security, confidentiality or integrity of the private information of New York residents.
Access, in good faith, by employees of your business doesn't count as a data breach; unless there's some evidence that information was disclosed to an unauthorized person.
There are several ways to give individual notice of a breach under the Act:
There is also a list of substitute notification methods. You can only use these methods when one or more of the following applies:
The substitute methods of notice include:
Regardless of which type of notice you're providing, you must include the following information:
Whenever you have notified individuals about a data breach, you'll also need to notify these public authorities:
If more than 5,000 New York residents have been affected by the breach, the SHIELD Act states that you must also notify "consumer reporting authorities." The Act doesn't specify which consumer reporting authorities you should notify. The Federal Government provides this list of New York State consumer protection offices.
Make sure that you prioritize giving notice to the individuals affected. Informing the authorities must not cause any delay to you informing individuals.
You must tell these organizations:
You must also provide a template copy of the notice you used.
The SHIELD Act offers some flexibility for certain types of business.
Some businesses will be deemed to be compliant with the SHIELD Act's data security requirements by default. They don't have to set up a data security program, and they don't need to implement the Act's reasonable safeguards.
However, they must still obey the Act's breach notification rules.
The Act calls such businesses "compliant regulated entities." Compliant regulated entities are already compliant with certain recognized data security standards. These regulations are as strong as (or stronger than) the standards set out under the SHIELD Act.
Compliant regulated entities are subject to (and compliant with) one or more of the following data security regulations:
The SHIELD Act applies differently to small businesses. The Act defines a "small business" as a business that:
A small business still needs to comply with the Act. However, there is some flexibility regarding the data security measures described in the "Keeping Private Information Safe" section (above).
There is no flexibility regarding the obligations described in the "Providing Notice of a Data Breach" section.
When implementing its data security program and reasonable safeguards, a small business only needs to take measures that are "appropriate," considering:
The SHIELD Act doesn't provide any specific guidance on what might constitute an appropriate level of data security for a small business. It's likely that this section of the Act will be considered by the Attorney General and the courts in the event of a data breach. Small businesses are unlikely to be held to the same stringent standards as larger businesses.
The New York SHIELD Act imposes a new regime of security and transparency.
Your business must:
Many businesses will consider these obligations burdensome. Others will embrace them and thrive in this new environment. It's clear that the rules are changing. There are opportunities for those willing to adapt.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.