Back in the spring of 2019, the New York legislature passed Senate Bill 5575, the Stop Hacks and Improve Electronic Data Security Act, aka the SHIELD Act. The SHIELD Act amends and expands New York’s data and breach notification laws, but – you guessed it – the expansion will have effects beyond New York.
About the New York SHIELD Act
While the SHIELD Act was passed almost a year ago and went into effect in October 2019, the grace period for compliance ends on March 21, 2020 – just a few days from today. But don’t worry. There’s still enough time to ensure compliance.
Compared to the GDPR and CCPA, New York’s SHIELD Act has flown relatively under the radar, but it is still an important piece of legislation to understand since so many organizations operate in or have customers who are residents of the State of New York.
So, what is it? Who does it apply to? And should you be worried? Let’s take a look ?
Expands Scope of Liability
Similar to the CCPA and the GDPR, the SHIELD Act expands liability to any organization that collects private information of New York residents, regardless of where it was collected. This means that an organization does not necessarily have to conduct business in New York in order to come under the purview of the SHIELD Act.
Expands Breach Notification Triggers
By expanding the definitions of “breach” and “private information,” the SHIELD Act has significantly expanded New York’s data breach notification laws. The expanded definitions, in effect, create more instances where a business would be required to notify New York residents of a data breach.
Under the SHIELD Act, a “breach” has been broadened from mere unauthorized acquisition to additionally include unauthorized access to private information. Unauthorized access can include viewed, communicated with, used, or altered by a person without authorization to do so.
As such, an event that would trigger a breach notification may not just result from someone unlawfully taking data, but also unlawfully seeing the data without ever having possession of it.
“Private information” is a subset of personal information – or any information that can be used to identify a person. Before that included highly-sensitive personal information like Social Security numbers, credit or account numbers, and identification card numbers like driver’s license numbers. Now, under the SHIELD Act, private information has been expanded to include any account information, biometric data (like iris scans, fingerprints, voiceprints, images, etc.) used to authenticate someone’s identity, and usernames or emails in combination with passwords or passcodes.
New York’s data and privacy laws require that in the event of a breach, the business must notify any and all New York residents whose private information may have been compromised. Now, with the expanded definitions of breach and private information, there is the potential for more events that will trigger New York’s breach notification requirements. Further, with these laws applying to any business that has New York residents’ information regardless of where the business is located, such breach notifications will apply to far more businesses and any breaches they may experience.
This, therefore, expands the potential risk of and liability associated with a breach.
Requires Adoption of Data and Cybersecurity Policies
In addition, the SHIELD act requires organizations to adopt “reasonable” security practices, policies and procedures to safeguard sensitive data in three critical ways: administrative safeguards, technical safeguards and physical safeguards. This includes implementing practices to identify and prevent risks to data security, taking reasonable steps to secure the business’s facilities and premises, choosing vendors who also maintain reasonable data and security, and taking steps to reasonably prevent unauthorized access to sensitive data and other information.
Taking into account differing sizes and resources of businesses, the SHIELD Act emphasizes that the programs should be reasonable. The Act, at a minimum, requires ongoing monitoring of the implemented policies and procedures, regular risk assessment of the business’s technical infrastructure and physical premises, training personnel, reasonable vendor due diligence, as well as designating an individual responsible for the required policies, practices, assessment and maintenance thereof.
What This Means for Your Business
If you are already concerned with data privacy regulations and your compliance with them, you are probably already compliant with the SHIELD Act. Why? Because you probably already have a data privacy and cybersecurity plan or program in place.
Further, you are automatically considered compliant if your business is regulated by and compliant with the Health Information Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), the Gramm-Leach Bliley Act, New York’s Cybersecurity Requirements for Financial Services Companies, and any other federal or New York cybersecurity legislation.
The key is to review and reassess your data privacy policy and security practices in light of the expanded definitions of a breach and private information under the Shield Act and to be ready to notify the New York residents in your database in the event of unauthorized access to their Notice should be sent to those New York residents. The SHIELD Act does not, however, require additional notice if notice is already being provided under a separate similar privacy statute, like HIPAA.
Following notice, you may be subject to liability, but not directly from a New York resident. Unlike the CCPA and the GDPR, there is no private right of action and only the New York Attorney General can take an action against a company in the wake of a breach of the SHIELD Act.
So while the SHIELD Act generally fits within measures that companies are taking for general data privacy and cybersecurity, particularly for GDPR and CCPA compliance, it is important to know that you may have special obligations to New York residents in the event of a breach and when a breach is considered to have occurred.
*Nothing in this article is intended to be, nor should it be, construed as legal advice from Drift or Drift’s legal team.
