New York SHIELD Act: Your Cybersecurity Obligations to New Yorkers' Data
- April 21, 2020
- / Drew Sorrell & Ferran Arimon
- / Articles,Cybersecurity & eDiscovery
As millions of employees around the country begin their second month working remotely, several government agencies have issued warnings regarding a spike in data security incidents and the increased risk of cyber-attacks such as phishing and ransomware attacks. Many state governments impose mandates on businesses regarding their cybersecurity protections, such as mandatory reporting to the state’s attorney general. In March, however, the New York Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) took effect. The Act goes a step further than other states by requiring businesses to include specific protections in their data security programs.
The SHIELD Act will affect businesses across the country as it goes beyond conducting business in New York and implicates all businesses that hold the private information of any New York resident. These latest changes to cybersecurity protocol in New York may also be a catalyst for other states to implement similar regulation.
Under the SHIELD Act, New York’s attorney general may bring claims to seek restitution and recover uncapped civil penalties (up to $5,000 per violation) against companies that have failed to abide by the Act’s enhanced security requirements. However, the SHIELD Act does not create a private right of action. That said, it is expected that the plaintiff’s bar will point to the SHIELD Act as a relevant standard in bringing civil cases under other theories of liability, making the SHIELD Act more broadly relevant. The Act itself is a departure from other states’ laws regarding cybersecurity in that it provides context for what is considered “reasonable” cybersecurity.
The obligations of the SHIELD Act will apply to “[a]ny person or business which owns or licenses computerized data which includes private information of a New York resident.” The SHIELD Act requires such persons to maintain reasonable safeguards and provides several examples of safeguards that companies should adopt:
- Designate individual(s) responsible for security programs;
- Ongoing risk assessments that identify reasonably foreseeable internal and external risks coupled with an assessment of the sufficiency of safeguards in place to control those risks;
- Employee training in security program practices and procedures;
- Select capable service providers and require safeguards by contract; and
- Adjust program(s) in light of business changes or new circumstances.
- Assess risks of information storage and disposal;
- Detect, prevent, and respond to intrusions;
- Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
- After private information is no longer needed for business purposes, disposal within a reasonable amount of time.
- Assess risks in network design, software design, information processing, transmission and storage;
- Detect, prevent and respond to attacks or system failures; and
- Regularly test and monitor the effectiveness of key controls, systems, and procedures.
The SHIELD Act has also somewhat expanded the classic definition of “private information” and states that private information includes both:
- Personal information with one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
- social security number, driver’s license number, or non-driver identification card number;
- account number, credit, or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
- account number, credit, or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information including: a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate/ascertain the individual’s identity; OR
- A username or e-mail address in combination with a password or security question answer that would permit access to an online account.
It should be noted that notification of a breach to the attorney general of New York is triggered not only where personal information has been acquired, but also where it has been viewed by an unauthorized individual and is likely to cause harm to a consumer. The net result being that a breach is now effectively broader.
Exceptions to the SHIELD Act
Qualifying small businesses will still be required to report data breaches; however, the SHIELD Act recognizes that certain security measures may not be appropriate or “reasonable” for small businesses. For purposes of relief under the SHIELD Act, a small business is defined as any person or business with: i) fewer than 50 employees; ii) less than $3 million in gross revenue in the trailing 3 years; OR iii) less than $5 million in total assets at year end (in accordance with GAAP).
While qualifying small business must still maintain a cybersecurity program, the “reasonableness” of the program will look at factors such as the size of the small business’ activities, the complexity of the business’ activities, and the nature of the information the business collects about consumers.
We encourage you to look through the requirements of the SHIELD Act and assess whether your current cybersecurity program would be considered “reasonable.” Should you have any questions regarding the adequacy of your business’ cybersecurity measures, please feel free to reach out to Drew Sorrell or Ferran Arimon.