New York’s SHIELD Act Is More Important Than Ever
Client Alerts
John T. Araneo, Managing Director, Align Cybersecurity
3.18.21 | Berdon VISION
The SHIELD Act amends preexisting New York laws, creating a broader reach with more bright-line requirements.
New York State launched the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) a year ago on March 21, 2020, perhaps somewhat symbolically, just as COVID-19 began to spread across the nation. Distracted by the ensuing economic disruption, many businesses may have overlooked, set aside, or ignored the significance and broad sweep of the Act. A year into its enactment, Berdon’s cybersecurity specialists assessed the real-world impact of the Act as well as the continued uncertainty within the current business landscape, and recommend that businesses conduct some thoughtful planning and honest discussions regarding their abilities to comply to the Act and efficiently protect the personal data of their employees and clients.
What Does It Mean for My Business?
The SHIELD Act amends preexisting New York law and now: (i) provides expansive definitions of both a “breach” and of what constitutes personally identifiable information (PII); (ii) provides an expansive territorial scope; and (iii) imposes a timely but significant compliance obligation to create a cybersecurity program that includes administrative, technical, and physical data security elements.
The Act broadens certain key definitions. Private information now includes biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password, if the account can be accessed without such information. Similarly, a breach of the security of the system includes unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information.
The Act further augments the jurisdictional reach (i.e., the geographic application) of the breach notification requirement to any Covered Business, which is defined as any person or business owning or licensing computerized data that includes the private information of a resident of New York. Previous regulations limited the definition of a Covered Business only to companies that did business in New York.
Businesses will need to consider if the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.
Exceptions
There is an exception to the requirement to report the breach, which specifically states that, if the breach was inadvertent and done by authorized personnel to access private information and the person or business makes a reasonable determination that the breach is not likely to result in misuse, or financial or emotional harm to the affected person or business. Moreover, the breach must be documented in writing and maintained for at least five years.
A small business may be able to modify or scale back its obligations. To qualify, the business must satisfy one of the following:
- Fewer than 50 employees;
- Less than $3 million in gross annual revenue in each of the last three fiscal years; or
- Less than $5 million in year-end total assets, calculated in accordance with GAAP.
- The Key Component Impacting Your Business
If a business owns or licenses a New York resident’s private information, it is required to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that information. In effect, under the Act, a formal data security program is mandated.
Building Your Shield
It is important to regard developing your data security shield as good business practice and not some additional burden. This shield — which directly benefits your business as well as your clients — should consist of three parts: Administrative, Technical, and Physical.
Administrative
- Select the most qualified employees to conduct your data security program and designate a team leader/direct report
- Seek to identify the most likely risks — both internal and external
- Challenge your defenses to identify strengths and potential weaknesses
- Rate the effectiveness of all safeguards currently in place
- Initiate employee training for your security program. Important: Employees are your first line of defense
- Identify and review providers who can help maintain your safeguards
- Stay vigilant – Update programs and procedures as conditions change. This is an ongoing process
Technical
- Perform a risk assessment in key areas:
- Network and software design
- Information processing
- Transmission
- Storage
- Establish processes to prevent, detect, and respond to:
- External attacks
- Internal system failures
- Initiate regular testing to help ensure that your controls, systems, and procedures are performing well
Physical
- Identify any risks to the storage and disposal of information
- Find ways to uncover, prevent, and respond to intrusions
- Protect against unauthorized access to private information
- Dispose of or erase unneeded private information in a timely and secure manner
Important Consideration
Outside service providers to Covered Businesses with access to employee or customer personal data will also be held accountable under the SHIELD Act. This makes it imperative to review contracts and relationships with third-party providers to ensure they maintain appropriate technical and physical safeguards.
Enforcement
Businesses failing to comply with the Act may face civil penalties of up to $5,000 per violation. The penalty for failing to comply with the breach notification requirement is subject to a penalty of $20 per instance of failed notification with a cap of $250,000.
How to Comply
To comply with the Act, Covered Businesses (and service providers to Covered Businesses) must be prepared to address a multifactorial challenge that involves evaluating technological, operational, administrative, and physical challenges. The initial step is to obtain a data security assessment from a qualified cybersecurity advisor who can observe, evaluate, and opine on the prevailing security controls in each of these areas. A good advisor can identify gaps in each of these primary areas and recommend appropriately scaled reasonable controls.
Questions? If these requirements have raised questions or concerns relating to your business, contact your Berdon advisor.