Does the SHIELD Act Cover Your Business and Are You Ready?
As we have previously written, the privacy and security requirements of the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) are effective as of March 21, 2020. The SHIELD Act implements broad new data security requirements for all businesses that have the private information of New York residents, and reaches beyond New York’s own borders to compel companies – including companies that do not do business in New York – to take affirmative steps to protect the personal and private information of New York residents that the company may be collecting or storing.
Initially, the SHIELD Act expands the definition of “private information” that must be safeguarded to include any information that can be used to identify a person, in combination with a social security number, a driver’s license number, a financial account number, or biometric information. Separate and apart from these “data elements,” the definition of “private information” also now includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”
Second, the SHIELD Act applies to any company that possesses the private information of even a single New York resident – even if the company does not conduct business in New York. All companies must now protect that data and report a breach to the impacted resident(s) if it involves the resident’s private information.
Third, the SHIELD Act creates an entirely new obligation for all companies that own the private information of even a single New York resident to “implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” Entities that already comply with Gramm-Leach-Bliley, HIPAA, the NY DFS Cybersecurity Regulations, or other New York data security regulations will be deemed compliant with the SHIELD Act’s data security requirements. For those companies not otherwise deemed compliant, “reasonable safeguards” require implementing a “data security program” that includes administrative, technical, and physical safeguards to protect the private information. The SHIELD Act lists as examples specific measures that businesses can employ to achieve compliance, including but not limited to, employee training; careful selection of service providers; risk identification and assessment; procedures to detect, prevent, and respond to attacks or intrusions; and disposal of private information no longer needed for business purposes.
While the obligations of the SHIELD Act are universal, it is important to note that a “small business” – defined as a business with (1) fewer than 50 employees, (2) less than $3 million in gross annual revenue in each of the last three fiscal years, or (3) less than $5 million in year-end total assets – is given some leeway (there is no exemption) and will be deemed compliant if the business establishes a security program that “contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
Finally, it is important to note that there is no private right of action under the SHIELD Act; the New York Attorney General alone is authorized to enforce these requirements.
With the compliance now an operational requirement, businesses should take affirmative and proactive steps to ensure that they have implemented appropriate data privacy and security measures. For any business that does not currently have a comprehensive data security program, consult with an experienced advisor to develop and implement one that is appropriate for the full scope of the company’s operations. And for any business that has a data security program in place, now is the time to review and update that program, focusing on the nature and scope of the personal information the business collects, what that information is used for, who can access that information, and additional measures to enhance the privacy and security of personal information of New York consumers.