Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
What is the significance of this law?
The SHIELD Act, signed into law on July 25, 2019, by Governor Andrew Cuomo, amends New York’s 2005 Information Security Breach and Notification Act. The SHIELD Act significantly strengthens New York’s data-security laws by:
- expanding the types of private information for which companies must provide consumer notice in the event of a breach
- requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information
What types of security breaches are covered by this law?
Under the 2005 law, a security breach is defined as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of private information. The SHIELD Act expands the definition of a security breach to any "access" to computerized data that compromises the confidentiality, security, or integrity of private data.
What does private information consist of?
Under the 2005 law, private information was any personal information concerning a natural person in combination with any one or more of the following data elements in combination any required security code:
- Social Security number
- driver’s license number
- account number
The SHIELD Act expands the law to include biometric information, username or email address, and password credentials.
What safeguards are included in the SHIELD Act?
The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards. The act lists some safeguards, but is not meant to be an exhaustive list.
Reasonable administrative safeguards include:
- designating one or more employees to coordinate the security program
- identifying reasonably foreseeable internal and external risks
- assessing the sufficiency of safeguards in place to control the identified risks
- training and managing employees in the security program's practices and procedures
- selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
- adjusting the security program in light of business changes or new circumstances
Reasonable technical safeguards include:
- assessing risks in network and software design
- assessing risks in information processing, transmission and storage
- detecting, preventing, and responding to attacks or system failures
- regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Reasonable physical safeguards include:
- assessing risks of information storage and disposal
- detecting, preventing, and responding to intrusions
- protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of information
- disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
What are the obligations of businesses when a breach occurs?
The law requires that the person or business notify the affected consumers after discovering a breach in the security of its computer data system that affects private information. The disclosure must be made in the most expedient time possible, consistent with legitimate needs of law enforcement agencies. While the law requires notice to the Office of the New York State Attorney General (OAG), the New York Department of State, and the New York State Police of the timing, content, and distribution of the notices and approximate number of affected persons, submission of a breach form through the OAG's data-breach-reporting portal is sufficient, as the information is automatically sent to all three credit reporting entities listed below.
If you are a consumer affected by a breach, file a complaint. Do not submit a breach notification.
Are there any exceptions to the notification requirements?
The law also provides for substitute notice to consumers if the business demonstrates to the Office of the New York State Attorney General that:
- the cost of providing regular notice would exceed $250,000
- the affected class of persons exceeds 500,000
- the entity or business does not have sufficient contact information
Where substitute notice is used, it must consist of all of the following, as applicable:
- email notice
- conspicuous posting on the entity’s web site
- notification to statewide media
In addition, the law does not require consumer notification if:
- the exposure of private information was an inadvertent disclosure by persons authorized to access private information
- the person or business reasonably determines such exposure will not likely result in misuse of such information or financial harm to the affected persons, or in emotional harm in the case of unknown disclosure of online credentials
Such a determination must be documented in writing and maintained for at least five years. If the incident affects over 500 residents of New York, the person or business must provide the written determination to the Attorney General within 10 days after the determination.
What are the penalties for violations of the SHIELD Act?
Under the SHIELD Act, the Attorney General may seek injunctive relief, restitution, and penalties against any business entity for violating the law. For failure to provide timely notification, the court may impose a civil penalty of up to $20 per instance of failed notification, not to exceed $250,000. For failure to maintain reasonable safeguards, the court may impose a civil penalty of up to $5,000 per violation.