NY SHIELD Act’s “adopting reasonable security measures” timeline quickly approaching

NY “Stop Hacks and Improve Electronic Data Security Act”

First off, what is the NY Shield Act, in a nutshell?

“The SHIELD Act requires employers in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

Why did it come about? 

PURPOSE:  New York’s data breach notification law needs to be updated keep pace with current technology. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.

As of October 23rd, 2019, the SHIELD Act requires the recording of data breaches. However, the deadline for adopting ‘reasonable security measures’ does not come into effect until March 21st, 2020.

What does this mean for you? 

In the event of a data breach (which you must record), you must have a data security program in place otherwise failure to do so will result in being noncompliant and will result in fines.

Overview of NY SHIELD Act Protection

Previously the New York State Information and Security Breach and Notification act held businesses to some standards around protecting private information and disclosing any breach of that data to the New York residents whose private information was exposed. The NY SHIELD Act has expanded this regulation further.

The SHIELD Act:

  • Expanded the definition of private data to include private information such as a New York resident’s name in combination with a social security number and driver’s license plus the following:
    • Biometric information like fingerprints or retina scans
    • A combination of username and passwords, security questions and answers, that can be leveraged to access a person’s online account.
    • Credit card numbers, not requiring the security code, which can be used to access a person’s bank account.
  • Expanded definition of a data breach:
    • Defined broadly as the unauthorized access to private information.
    • The definition of access includes viewing, downloading or copying private information. Being able to prove who accessed a file and how is more important than ever.
  • Expanded the organizations the law applies to any entity in possession of an NY resident’s private information.*
  • Key requirement for ‘Reasonable Safeguards’:
    • Any businesses that license/own the personal information of a NY State resident is now required to have “reasonable safeguards” to prevent a breach of that sensitive data.
    • Definition of “Reasonable Safeguards”:
      • Dedicating one or more employees to carry out the implementation of a security program.
      • Implementing a security training program
      • Assessment and monitoring of key controls on a regular basis (Active Directory, Access management for example)
      • Reasonable retention policies that dispose of private information in a timely fashion.
  • Exemptions
    • Organizations don’t need to notify of a breach if the exposure does not result in financial or emotional harm to the individuals whose data was breached. Or if a breach occurs inadvertently by an individual who is authorized to access the private information.
    • Organizations don’t need to notify of a breach if they have already notified of the same breach under a different breach notification regulation such as NYDFS Cybersecurity Regulation, the HIPAA act, or the Gramm-Leach-Bliley Act (GLBA).
    • Security programs can be tailored based on the size of the business, the nature of their business and the sensitivity of their private information.*
  • Extended the violation action period
    • NY State Attorney General has three years to bring an action against a company that incurs a violation.

All businesses with employees in New York must comply with the Shield Act since private information includes an individual’s name and Social Security number. Additionally, even a business without a presence in NY may be required to comply since the law also applies to any business that maintains a NY resident’s private information.

Consequences of Noncompliance

This will be enforced by the Attorney General’s office itself. With the new legislation, if organizations fail to comply by not notifying affected individuals, those individuals may be entitled to monetary compensation. (Article 63 of the civil practice law and rules)

“Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to [ten] TWENTY dollars per instance of failed notification, provided that the latter amount shall not exceed [one] TWO hundred fifty thousand dollars.”

While a $5,000 fine isn’t a huge deal, this can easily balloon up to $250,000 in the event of a large breach. This might not financially hurt an enterprise business but this could potentially close the doors on a small-mid sized business. I would note however that while an enterprise may not really be affected financially, the reputation of an enterprise business is always at stake in these scenarios which could indirectly affect revenue.

*Organizations that don’t fall under the NY Shield Act: There is an exception for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets. These businesses may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected. There are also exceptions for entities that are covered by and in compliance with the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations–these organizations are deemed in compliance with the SHIELD Act.

Executing the required administrative and technical safeguards may be prohibitive for many organizations.  As such, businesses are looking at alternative ways to meet these new requirements, including leveraging a virtual CISO to help strategize, execute and manage the necessary security protocols. Using a Managed Security Services partner can also help once a full assessment of current solutions / procedures has been assessed and any new security solutions implemented.

The first thing that needs to be done is to get an accurate picture of your current security posture, determine where vulnerabilities and gaps lie, and develop a plan to address them.