New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act goes into effect on March 21, 2020. The law significantly changes the state’s data breach notification law and requirements for data protection. Signed into law by New York Governor Andrew Cuomo on July 25, 2019, the SHIELD Act strengthens enforcement of data privacy and consumer protection.
Consumer data is at greater risk of exposure due to the growth of new technologies such as mobile devices and the increasing use of big data analytics, for which organisations are capturing and retaining much larger volumes of data that need to be protected. The new law addresses the growing number of security attacks and breaches by expanding the definition, scope and reach of New York’s data privacy laws.
The SHIELD Act applies not only to companies that conduct business in the state of New York, but also to any person or entity with private information of a New York resident. The law establishes minimum standards for cybersecurity across industries and provides added protection for consumers whose personal data has been compromised.
The Stop Hacks and Improve Electronic Data (SHIELD) Act: Basic Elements
Is your company prepared to meet the new requirements of the SHIELD Act? The complexity of the new law is bringing about a lot of questions and need for clarification. Following is a breakdown of the basic elements of the law and what companies need to know.
Provisions of the SHIELD Act include:
- A broader definition of “private information”
- Expanded requirements for data security and breach notification
- A broader territorial reach of the breach notification requirement
Is Your Organisation Subject to the SHIELD Act?
The SHIELD Act applies to any business that collects or licenses private data of New York State residents, not just companies that conduct business in the state.
Small businesses are compliant if they implement and maintain “reasonable” safeguards that are appropriate to the company’s size and complexity and to the sensitivity of the data. The act defines a “small business” as one consisting of fewer than 50 employees, having a gross revenue of under $3 million for the last three fiscal years or having under $5 million in assets.
What Are the Implications of Not Complying with the SHIELD Act?
Penalties are subject to a tier structure. Fines can be levied up to $250,000 per incident, exceeding the previous limit of $150,000. Fines are calculated as a minimum $5,000 or $20 per item breached up to $250,000.
How is a “Breach” Defined?
A breach is now defined as unauthorised access or acquisition of private information. Unauthorised access may include viewing, communicating or altering data without authorisation. Previously, a breach was defined as unauthorised acquisition of data, and did not include unauthorised access.
Good-faith access or acquisition by an employee or agent is not considered a breach of the security of the system.
Breach notification requirements have been expanded to include reporting of unauthorised access, not just theft or loss of data.
Organisations that experience a breach are required to notify affected New York State residents “in the most expedient time possible and without unreasonable delay.” If more than 500 victims are involved in the exposure, notice must be given to the New York attorney general, the New York Department of State and state police within 10 days following determination. Preference is given to notice being given in writing, electronically or by phone.
Notice of breach or unauthorised access can be given by email when appropriate unless the breach included access credentials, such as an email address in combination with a password or security question.
The law also provides alternative methods of notification, including email, conspicuous notice via the company website, or notification via statewide media in the following three circumstances:
- Cost to provide individual notification exceeds $250,000
- More than 500,000 people have been affected by the breach
- Contact details for the affected people aren’t available
If consumers are already being notified under other state or federal laws or regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, companies are not required to give notice to consumers. Notice must still be given to the state attorney general within five business days.
Notice is not required if the disclosure is inadvertent or if exposure will not lead to misuse or financial harm. However, such a determination must be documented in writing and retained for five years.
Expanded Definition of Private Information
Existing regulations defined private information as: Social Security numbers; driver’s license or government ID card numbers; account numbers, including debit and credit card information (security or access codes); and passwords that permit access to financial records.
The new SHIELD Act definition adds:
- Biometric information resulting from facial-recognition software or other means
- Email addresses and their passwords
- Security questions and answers (e.g., used for password resets)
Note that encrypted data is not considered personal information if the encryption key has not been accessed. Also, private information does not include publicly available information.
Any person or business that owns or licenses a New York State resident’s private information must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Requirements include:
- Designation of employees to coordinate the security programme
- Identification of reasonably foreseeable external and insider risks
- Assessment of existing safeguards
- Workforce cybersecurity training
- Selection of service providers capable of maintaining appropriate safeguards
- A process for implementing the security programme based on business changes or new circumstances
- Risk assessments of network, software design, information processing, transmission and storage
- Implementation of measures to detect, prevent and respond to system failures
- Regular testing and monitoring of the effectiveness of key controls
3. Physical Controls
- Detection, prevention and response to intrusions
- Protections against unauthorised access to or use of private information during or after collection, transportation and destruction or disposal of the information, and disposal of information after a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
What Should Companies Do?
Many organisations’ leaders are not aware of the SHIELD Act and its potential impact. Therefore, they may not be prepared for compliance. Organisations should start preparations immediately so that any obstacles encountered can be resolved before the SHIELD Act becomes effective on March 21.
Protiviti recommends that companies:
- Modify incident response plans to reflect the new definition of a breach that now includes unauthorised access, not just theft or loss.
- Implement an information security framework to guide their information security programme (e.g., ISO, NIST, CIS, FFIEC)
- Examine their existing security and privacy policies to ensure these new definitions for private information are represented.
- Examine their breach notification procedures to account for the new requirements of the SHIELD Act.
The scope of the new SHIELD Act is relatively broad, encompassing all companies both within and outside New York State that utilise personal data of state residents. Using these recommendations as a blueprint to prepare for the new regulations can give your organisation a head start on reviewing its practises and analysing where changes may be required for its data protection programme to come closer to compliance.
How Can Protiviti Help?
Protiviti can assist companies in a variety of ways. Our professionals can:
- Evaluate your cybersecurity programme for compliance with requirements of the SHIELD Act. This project will examine your company’s compliance with the SHIELD Act and help develop an action plan to resolve any gaps identified.
- Update policies and procedures to reflect the new requirements of the SHIELD Act. Implement and manage new cyber capabilities and technologies. The SHIELD Act will require changes to your policies and procedures, including cybersecurity, privacy and incident response. Protiviti can evaluate your existing policies and procedures and modify, update or change them to reflect the new requirements. Protiviti can also train personnel on the execution of the new processes required.
- Implement an information security framework. Many companies are implementing a cybersecurity framework to help guide their cybersecurity programmes. Protiviti can help with the implementation of these frameworks (e.g., ISO, NIST, PCI, CIS, FFIEC).