The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is a data security law passed by the New York Senate in mid-2019. The law comes in response to an increasing number of high-profile cyber attacks.
The SHIELD Act requires that businesses set up a "data security program" to monitor and improve cybersecurity. Businesses must also implement "reasonable safeguards" to ensure that private information is stored and erased safely. The Act requires businesses to notify their customers of data breaches, and it imposes large fines if they fail to do so.
If your business holds the personal or private information of any New York residents (even if it's based outside of New York), you must take steps to comply with the SHIELD Act. Let's take a look at what the law means for you.
SHIELD Act Basics
The SHIELD Act is a major overhaul of New York's existing data security law. It introduces some new concepts and definitions and grants new powers to the New York Attorney General.
Stronger privacy, data protection, and cybersecurity laws are being passed all over the world. The law is playing catch-up with increasingly sophisticated hackers, lax data management, and intrusive privacy practices. The New York SHIELD Act is part of this movement.
Overview of the Act
The SHIELD Act essentially imposes two broad obligations:
- Keep private information safe
- Provide notice of data breaches
Each of these obligations is made up of specific rules and requirements. Businesses are accountable for assessing and mitigating risk, and for responding proactively to a data breach.
Who Has to Comply with the SHIELD Act?
The duties under the SHIELD Act extend to any person or business which owns or licenses the private information of New York residents. We'll be looking at the definition of "private information" below.
State laws increasingly target businesses who "operate in" or "promote goods and services" to residents of the state in which the law is passed. Examples include the California Consumer Privacy Protection Act (CCPA) and the proposed New York Privacy Act (NYPA).
The SHIELD Act is even broader. To be covered by the Act, you merely need to be holding the private information of New York residents.
Your business probably holds personal or private information from people in multiple countries or across multiple US states. You may choose to segregate New York residents' data. Or you may choose to apply SHIELD standards to all of the private information your company holds.
In either case, it's important to know the origin of all the personal information you hold. In the event that you suffer a data breach, you'll need to tell the New York Attorney General how many New York residents were affected.
What is Private Information Under the SHIELD Act?
The Act distinguishes between "personal information" and "private information."
Personal information is: "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person." This is data that could identify a person directly.
Private information is a little more complicated. There are three types of private information.
Type I private information is a piece of personal information, combined with one or more of the following "data elements":
- Social security number
- Driver's license or ID card number
- Account number, credit card number, or debit card number, either:
- Together with a security code or some other information that would allow access to the account, or
- Alone, if the account could be accessed even without a security code or some other information
- Biometric information
The data element, or the personal information/data element combination, must be either:
- Not encrypted, or
- Encrypted, but with an encryption key that has been compromised ("accessed or acquired")
Let's compare some examples of personal information and type I private information to put this in context:
||Type I Private Information
||Name plus social security number (unencrypted)
|Name (encrypted) plus credit card number (encrypted)
||Name (unencrypted) plus credit card number and PIN (unencrypted)
|Name (encrypted or unencrypted) plus driver's license number (encrypted)
||Name (encrypted or unencrypted) plus driver's license number (unencrypted)
|Name (encrypted or unencrypted) plus social security number (encrypted)
||Name (encrypted or unencrypted) plus social security number (encrypted, but the encryption key has been accessed)
Type II private information is a username or email address together with a corresponding password or security question and answer.
Type III private information is any health information as defined in the Health Insurance Portability and Accountability Act (HIPAA), if it's held by an entity covered by that act.
Private information doesn't include information lawfully made available to the public via local, state or federal government records.
How Will the SHIELD Act Be Enforced?
The SHIELD Act will be enforced by the New York Attorney General. The Attorney General can take action in court against a business if the business violates certain parts of the Act.
The Attorney General must act within three years of becoming aware of a violation (including where the business notified the Attorney General of the breach directly).
Fines can be issued under the Act issued where a business has failed to properly notify people affected by a data breach. The fines will be a civil penalty of either:
- $5,000, or
- $20 per violation (i.e., per person who was not properly notified of the breach), up to a maximum of $250,000
The Attorney General will issue whichever of these two penalties is greater.
Keeping Private Information Safe
The SHIELD Act sets out rules about how you assess risk and keep data secure.
Data Security Program
If your business owns or licenses the private data information of any New York resident, you must set up a "data security program."
The SHIELD Act sets out six things you must do in order to have a valid data security program:
- Designate one or more employees to coordinate your security program
- Identify "reasonably foreseeable" internal and external risks
- Assess the adequacy of your data security safeguards
- Provide data security training and management for your employees
- Only share private information with companies who have adequate safeguards, and always have a contract in place that requires that they implement such safeguards
- Adjust your data security program in response to changing circumstances
If your business owns or licenses the private information of any New York resident, you must have reasonable safeguards in place to protect and dispose of the information.
The SHIELD Act lists four technical safeguards. You must:
- Assess risks in the design of your software and networks
- Assess risks in how you process, transmit and store information
- Detect, prevent and respond to attacks and system failures
- Regularly test and monitor your key controls, systems, and procedures
The SHIELD Act lists four physical safeguards. You must:
- Assess the risks in how you store and dispose of information
- Detect, prevent, and respond to intrusions
- Prevent unauthorized access to private information whenever collecting, transporting, or disposing of it
- Properly dispose of private information within a reasonable amount of time after you no longer need it
Providing Notice of a Data Breach
If a data breach occurs, the SHIELD Act requires a business to communicate directly with the people who have been affected by the data breach, and also to inform public authorities.
What Counts as a Data Breach?
Rather than "data breach," the SHIELD Act uses the term "breach of the security of the system." This can cover situations where a system has been compromised but it isn't clear whether data has been accessed or acquired. We'll be using the term "data breach" throughout this article.
A data breach is where a person without proper authorization accesses or acquires computerized data. The computerized data could compromise the security, confidentiality or integrity of the private information of New York residents.
- "Accessed" usually means that there is some indication that the information has been:
- Communicated with
- Signs that information might have been "acquired" can include:
- A computer or device containing such information is lost or stolen
- There is evidence that the information has been downloaded or copied
- There are reports of identity theft using the information
Access, in good faith, by employees of your business doesn't count as a data breach; unless there's some evidence that information was disclosed to an unauthorized person.
There are several ways to give individual notice of a breach under the Act:
- Written notice
- Electronic notice, if the affected person has consented to electronic notice
- A business cannot deny or withdraw service because a person has refused consent to electronic notice of data breaches
- The Act distinguishes electronic notice from email notice. It may refer to notice via "push notification" or some other electronic notification method agreed between you and your customers
- Telephone notification, if you keep a log of the call
There is also a list of substitute notification methods. You can only use these methods when one or more of the following applies:
- The cost of providing individual notification would exceed $250,000
- Over 500,000 people have been affected by the data breach
- You don't have contact details for the affected people
The substitute methods of notice include:
- Email notice (if you have the consumer's email address)
- You must not use this method if the breach relates to the security of email address or email account login credentials. In this event, you should set up a notification of the breach when the user logs into their online account.
- This notification should only appear if the user logs in from an IP address or online location from which the user normally accesses the account
- Conspicuous notice via your website
- Notification via statewide media
What Information Should You Include When Providing Notice?
Regardless of which type of notice you're providing, you must include the following information:
- Your company's contact details
- Telephone numbers and websites of state and federal agencies who can help with data breaches and identity theft
- A list of the types of data that have been (or may have been) accessed or acquired
- The specific elements of personal or private information that have been (or may have been) accessed or acquired
Notifying the Authorities
Whenever you have notified individuals about a data breach, you'll also need to notify these public authorities:
If more than 5,000 New York residents have been affected by the breach, the SHIELD Act states that you must also notify "consumer reporting authorities." The Act doesn't specify which consumer reporting authorities you should notify. The Federal Government provides this list of New York State consumer protection offices.
Make sure that you prioritize giving notice to the individuals affected. Informing the authorities must not cause any delay to you informing individuals.
You must tell these organizations:
- The date(s) that you notified the individuals
- The content of your data breach notice
- How you distributed your notice
You must also provide a template copy of the notice you used.
Exceptions For Certain Types of Business
The SHIELD Act offers some flexibility for certain types of business.
Compliant Regulated Entities
Some businesses will be deemed to be compliant with the SHIELD Act's data security requirements by default. They don't have to set up a data security program, and they don't need to implement the Act's reasonable safeguards.
However, they must still obey the Act's breach notification rules.
The Act calls such businesses "compliant regulated entities." Compliant regulated entities are already compliant with certain recognized data security standards. These regulations are as strong as (or stronger than) the standards set out under the SHIELD Act.
Compliant regulated entities are subject to (and compliant with) one or more of the following data security regulations:
- Section V of the Gramm-Leach-Bliley Act (15 USC § 6801 - 6808)
- This mainly applies to financial institutions
- The Health Insurance Portability and Accountability Act (HIPAA)
- This mainly applies to healthcare providers and health insurance companies
- Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York (23 NYCRR 500)
- This applies to financial services companies
The SHIELD Act applies differently to small businesses. The Act defines a "small business" as a business that:
- Has fewer than 50 employees
- Has had gross revenue of less than $3 million per year for each of the previous three fiscal years, or
- Has less than $5 million worth of year-end assets in total
A small business still needs to comply with the Act. However, there is some flexibility regarding the data security measures described in the "Keeping Private Information Safe" section (above).
There is no flexibility regarding the obligations described in the "Providing Notice of a Data Breach" section.
When implementing its data security program and reasonable safeguards, a small business only needs to take measures that are "appropriate," considering:
- The size and complexity of the small business
- The nature and scope of its activities
- The sensitivity of the personal information it collects from its customers
The SHIELD Act doesn't provide any specific guidance on what might constitute an appropriate level of data security for a small business. It's likely that this section of the Act will be considered by the Attorney General and the courts in the event of a data breach. Small businesses are unlikely to be held to the same stringent standards as larger businesses.
The New York SHIELD Act imposes a new regime of security and transparency.
Your business must:
- Keep private information safe
- Consider what private information you hold
- Implement a data security program
- Apply reasonable safeguards to protect the private information you hold
- Provide notice of a data breach
- Consider what methods you can use to contact your customers
- Inform people affected by a breach without delay
- Notify the appropriate public authorities
Many businesses will consider these obligations burdensome. Others will embrace them and thrive in this new environment. It's clear that the rules are changing. There are opportunities for those willing to adapt.