The SHIELD Act requires businesses to develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data.
Back in the spring of 2019, the New York legislature passed Senate Bill 5575, the Stop Hacks and Improve Electronic Data Security Act, aka the SHIELD Act.
The SHIELD Act impose specific cybersecurity requirements and applies to any person or business that owns or licenses computerized data, which includes private information of New York residents including biometric data, unsecured health information, financial account numbers and email addresses along with corresponding passwords or security questions and answers.
Similar to the CCPA and the GDPR, the SHIELD Act expands liability to any organization that collects private information of New York residents, regardless of where it was collected. This means that an organization does not necessarily have to conduct business in New York in order to come under the purview of the SHIELD Act.
By expanding the definitions of “breach” and “private information,” the SHIELD Act has significantly expanded New York’s data breach notification laws. The expanded definitions, in effect, create more instances where a business would be required to notify New York residents of a data breach.
Under the NY SHIELD Act, a Cybersecurity Program must coincide with best practices that support:
While the SHIELD Act defines “personal information” as “any data about a natural person that can be used to identify the individual, it defines “private information” as either personal information in combination with a variety of traditional non-public personally identifiable information or a user name/email address in combination with a password or security question/answer that permits access to an online account.
The SHIELD Act will be enforced by the New York Attorney General. The Attorney General can take action in court against a business if the business violates certain parts of the Act. As of the middle of 2019, the Attorney General’s office has fined over $600M related to data breaches.
The Attorney General must act within three years of becoming aware of a violation (including where the business notified the Attorney General of the breach directly).
Fines can be issued under the Act issued where a business has failed to properly notify people affected by a data breach. The fines will be a civil penalty of either:
In order to meet the 2021 deadline, companies should take necessary steps to ensure that they are in compliance with the SHIELD Act. These steps include:
A process must be implemented to identify the type of private data collected, how it is being stored, and if that information is being utilized. A process then must be put into place to control and restrict certain access to all PII.
A technology audit is vital to identify where you are vulnerable of being hacked, which will allow us to provide the appropriate precautions and install the proper preventive measures to defend against any cybersecurity threat.
A test designed to see where your vulnerabilities lie, how hackers gain access to your network's sensitive information, and result in gaining valuable information to take the most appropriate course of action.
If a data breach occurs, the SHIELD Act requires a business to communicate directly with the people who have been affected by the data breach, and also to inform public authorities with the appropriate type of data breach notice.
What Counts as a Data Breach? Rather than “data breach,” the SHIELD Act uses the term “breach of the security of the system”. This can cover situations where a system has been compromised but it isn’t clear whether data has been accessed or acquired.
Whenever you have notified individuals about a data breach, you’ll also need to notify these public authorities:
The SHIELD Act expands the definitions of a breach and private information, and requires businesses to have controls in place for breach prevention.
