***Update – Amendments to the existing data breach notification law are now in effect.***
New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. Amendments to the existing data breach notification law take effect Oct. 2019. The SHIELD Act cyber provisions take effect in March 2020.
The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.
Continue reading for a summary of the SHIELD Act and how it could impact your business.
Changes to New York’s Data Breach Notification Law
The SHIELD Act makes several changes to the existing data breach notification law including:
- Expanding the definition of a breach to include the unauthorized access to private information. The SHIELD Act states that when determining if information was accessed, a business may consider, “[i]ndications that the information was viewed, communicated with, used, or altered by a person without valid authorization” (emphasis added).
- Expanding the definition of “private information” to include:
- Credit or debit card numbers without a security code, if the numbers could be used to access an individual’s financial account;
- Biometric information; and
- User names or email addresses together with passwords or security questions and answers that could permit access to an online account.
- Creating an exception where the exposure of private information occurs as the result of an inadvertent disclosure by an authorized person and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons.
- Exempting some notification obligations where the business has also notified pursuant to certain other regulations, including GLBA, HIPAA, and NY DFS Cybersecurity Regulation.
- Expanding the period of time in which the attorney general may bring action against a business from two years to three years.
The Addition of Reasonable Cybersecurity Practices
The SHIELD Act also requires businesses with New York residents’ private information to, “develop, implement and maintain reasonable safeguards” to protect the security of the private information.
- Examples of “reasonable administrative safeguards” include:
- The designation of one or more employee to coordinate the security program;
- Identifying reasonably foreseeable internal and external risks;
- Assessing the sufficiency of safeguards in place to control the identified risks;
- Training and managing employees about the security program practices and procedures;
- Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
- Adjusting the security program in light of business changes or new circumstances.
- Examples of “reasonable technical safeguards” include:
- Assessing risks in network and software design;
- Assessing risks in information processing, transmission, and storage;
- Detecting, preventing, and responding to attacks or system failures; and
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures;
- Examples of “reasonable physical safeguards” include:
- Assessing risks of information storage and disposal;
- Detecting, preventing, and responding to intrusions;
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes.
The passage the SHIELD Act comes after the introduction of SB-5642, known as the “New York Privacy Act” (NYPA), which has been criticized for several reasons including:
- The creation and imposition of a “data fiduciary” on covered businesses to exercise the duty of care, loyalty, and confidentiality of a fiduciary with regard to securing the personal data;
- Broadly defining “personal data” to include “an identifier” such as a real name, alias, signature, date of birth, gender identity, marital status, physical characteristic or description, postal address, telephone number, Internet Protocol address, email address, account name, and mother’s maiden name; and
- Creating a private right of action for, “any person who has been injured by reason of a violation of this article.”
NYPA is currently pending before the New York legislature.
What Does This Mean For Your Business?
The SHIELD Act is the latest standard that must be incorporated into internal business practices. It comes about a year after GDPR, CCPA, and the relatively unassuming passage of Nevada’s consumer privacy law (which goes into effect October 2019 – before CCPA) and Maine’s Privacy of Online Consumer Information law (LD-946).
The SHIELD Act applies to any person or business that owns or licenses computerized data containing private information of New York residents, regardless of whether that person or business conducts business in New York. To ensure compliance, businesses must create, review, and/or amend written information and cybersecurity policies to meet the standards outlined in the SHIELD Act.
Practically speaking, scrambling to comply with new privacy and cybersecurity laws as they are passed is a costly and inefficient compliance strategy. With several other states proposing similar laws, privacy and cybersecurity must be globally adopted into the business. This global adoption can be effectively managed by comprehensive data mapping that allows a business: (1) to know what data the company has, (2) track where the data is, and (3) manage how the data is being used. This kind of information governance enables a business to (1) reduce costs and streamline the process by which new laws are incorporated into business practices and (2) ensure those practices meet the legal standards required to manage and secure data.