One of the major changes introduced by the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which was signed into New York law last year, is scheduled to take effect this week.
The SHIELD Act modernized New York’s laws by (1) expanding the data elements that may trigger data breach notification to include certain biometric information, user names or email addresses, and account, credit card, or debit card numbers, if circumstances would permit account access without a security code or other information; (2) broadening the definition of a breach to include unauthorized “access” (in addition to unauthorized “acquisition”); and (3) creating a new reasonable security requirement for companies to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of” the private information of New York residents. The first two changes took effect on October 23, 2019, while the third will take effect on March 21, 2020.
As of March 21, 2020, any “person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to disposal of data.” A person or business will be deemed compliant if it implements a data security program that includes the following:
- reasonable administrative safeguards
- designates an employee to coordinate the security;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances.
- reasonable technical safeguards
- assesses risks in network and software design;
- assesses risks in information processing, transmission, and storage;
- detects, prevents, and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems, and procedures.
- reasonable physical safeguards
- assesses risks of information storage and disposal;
- detects, prevents, and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The specific requirements that a business will need to implement will depend on the size and nature of the business and the type of information that a business collects. If a court determines that a person or business knowingly or recklessly violated the statute, a court may impose a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, up to $250,000.