New York recently enacted the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”). The new legislation broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach and requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities. The law applies to all companies that employ New York residents, regardless of size or location.
Specifically, the SHIELD Act requires that employers of New York residents develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. The statute defines “private information” to mean:
- A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account; or
- “Personal information” in combination with any one or more of the following unencrypted data elements:
- social security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number, in combination with a security code, access code, password or other information that would permit access to an individual’s financial account;
- account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.
“Personal information” is broadly defined to mean “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
An employer may demonstrate compliance with the data security requirements of the SHIELD Act by either:
- Having a data security program that complies with Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160 and 164), the New York State Department of Financial Services’ Cybersecurity Regulation at 23 NYCRR Part 500, or other federal or state data security rules and regulations; or
- Implementing a data security program that includes specified elements to address an organization’s ability to identify, protect, detect, respond and recover from a cybersecurity incident.
If an employer does not have a cybersecurity program that is compliant with GLBA, HIPAA or other federal or state regulatory schemes, its data security program must include the following elements in order to comply with the SHIELD Act:
A. Reasonable administrative safeguards such as the following, in which the person or business:
1. Designates one or more employees to coordinate the security program;
2. Identifies reasonably foreseeable internal and external risks;
3. Assesses the sufficiency of safeguards in place to control the identified risks;
4. Trains and manages employees in the security program practices and procedures;
5. Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
6. Adjusts the security program in light of business changes or new circumstances; and
B. Reasonable technical safeguards such as the following, in which the person or business:
1. Assesses risks in network and software design;
2. Assesses risks in information processing, transmission and storage;
3. Detects, prevents and responds to attacks or system failures; and
4. Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
C. Reasonable physical safeguards such as the following, in which the person or business:
1. Assesses risks of information storage and disposal;
2. Detects, prevents and responds to intrusions;
3. Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
4. Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
A compliant program for a small business (defined as a business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million dollars in year-end total assets) is measured in the context of the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the personal information collected.
The statute took effect on October 23, 2019 but the data security requirements will not be effective until March 21, 2020. Employers should review their policies, procedures and handbooks to ensure compliance with the new requirements and implement a data security program if they have not already done so.