Update on New York’s SHIELD Act - Cybersecurity Requirements on Businesses Now in Effect
While New Yorkers and the rest of the world were focused on COVID-19 and its implications for business and individuals, a major facet of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) quietly went into effect on March 21, 2020. We previously reported on the SHIELD Act in our November 2019 client alert. This alert is an update on the SHIELD Act and certain of its provisions.
The SHIELD Act expanded New York State's data breach notification law and imposed a new “data security program” requirement on businesses that possess the private information of New York State residents, regardless of whether the businesses have any physical presence within New York State. It provides that businesses that own or license computerized data that includes “private information” of New York State residents must implement a data security program that includes the following:
- administrative safeguards in which the business:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances.
- technical safeguards in which the business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures.
- physical safeguards in which the business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Businesses that are subject to, and are in compliance with, Title V of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the New York State Department of Financial Services Cybersecurity Requirements (23 NYCRR 500) are exempted from this requirement under the SHIELD Act.
The SHIELD Act provides a limited reprieve for “small businesses,” which are businesses with (i) fewer than fifty employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets, calculated in accordance with GAAP. Under the Act, “small businesses” that own or license computerized data that includes private information of New York State residents are only required to implement a data security program that contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information it collects. Thus, while small businesses still must implement a data security program, the specific requirements of such program are somewhat relaxed.
The New York State Attorney General can pursue civil penalties for violations. Importantly, however, there is no private right of action.
In our previous alert, we suggested steps for businesses to comply with the law. Please refer to that alert for additional information about the steps that businesses should take to comply.
For more information on the topic discussed, contact: