The New York SHIELD Act: Improving Data Security One State at a Time

While there is not one holistic data privacy and protection regulation across the US, there are hundreds of laws (both federal and state) designed to help protect the personal data of citizens. In NY, another data security and privacy regulation implemented in 2020 requires organizations to have a data privacy and protection program in place. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act began covering New York state residents as of March 21, 2020.

The Who, What, and Why of the SHIELD Act

Identity theft is a growing and alarming issue for NY residents, and the state legislature took action by amending the already standing General Business Law and the State Technology Law. The amendment incorporates sound cybersecurity protocols and strengthens the oversight mandate of the New York Attorney General’s Office relative to data breach incidents and how notifications to New York residents are managed. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information,” noted Attorney General Letitia James.

Millions of organizations collecting or using New York residents’ personal and private information are regulated by the SHIELD Act. Small business exceptions with appropriately scoped requirements are noted in the regulation. A subset of larger companies are deemed to already comply by virtue of their compliance with certain other regulations, such as the Health Insurance Portability and Accountability Act (HIPPA), Title V of the Gramm-Leach-Biley Act (GLBA), or NY State Department of Financial Services cybersecurity requirements and regulations.

The SHIELD Act allows the NY AG’s office to penalize companies $20 per instance of failed breach notification, capped at $250,000, and to pursue up to $5,000 in civil penalties per violation plus actual damages for failure to comply with the regulation. Another ramification is brand reputation.

The SHIELD Act distinguishes between personal information and private information. Personal information (PI) — also known as personally identifiable information (PII) — is data that identifies a natural person. Private information may be personal information combined with types of non-public PII and belongs to the person. Private information may also be non-public personal information that gives an individual access to legal rights or permissions. Examples of private information are social security numbers, driver’s license numbers or non-driver ID card numbers, account numbers, credit card or debit card numbers in conjunction with the security or access codes, passwords, or PINs thereof. Usernames and email account names with passwords are also within the SHIELD definition of private information. Electronically generated biometrics, such as fingerprints, voiceprints, and retina or iris scans also fall into the category of private information.

If an unauthorized person (or attacker) simply accessed private information, it is considered a breach, regardless of whether they stole, sold, or used it in any way. In a case such as this, a data breach notification must be triggered under the law.

According to the SHIELD Act, an organization must have implemented “reasonable safeguards to protect the security, confidentiality, and integrity” of sensitive, personal, and private information. Those safeguards may include protection of private data and disposal or erasure of data as soon as the data is no needed for business purposes.

Be Prepared to Demonstrate Compliance

There is no doubt, data privacy regulations are here to stay. The Business Council for New York State, Inc. collaborated with the AG to build the commonsense approach of the SHIELD Act, demonstrating how government and business can work together to build solutions that protect both businesses and consumers. This requires organizations to rethink new processes and supporting technology to ensure the protection of the company, customers, and employees.

A business is considered in compliance with the SHIELD Act if they execute “reasonable administrative, technical, and physical safeguards” within its data security program. The International Association of Privacy Professionals (IAPP) suggests steps to implement such a data security program within your company, including:

Administrative

  • Name at least one employee to coordinate the data security program
  • Assess the sufficiency of chosen safeguards to control identified risks
  • Train and manage all relevant employees in the program practices and procedures
  • Dynamically adjust practices and the program when business or circumstances change
 

Physical

  • Assess risks of data storage and disposal
  • Enable detection, prevention, and responses to data security intrusions
  • Take measures to prevent unauthorized access and use of private information at all times (collecting, transporting, disposing of the data)
  • Shorten the length of time of holding private information to what is practically needed and dispose of it reasonably quickly by erasing and deleting so the information can never be reconstructed or read
 

Technical

  • Assess risks in software and network designs as well as the processing, transmission, and storage of sensitive data
  • Actively detect, prevent, and respond to attacks and system failures
  • Regularly test and monitor the effectiveness of controls and procedures
 

If your organization is regulated by the SHIELD Act, it’s also imperative that you provide clear, easy-to-find information on your website for customers and other individuals to:

  1. Request data subject access reports (what personal data the company has on an individual) or
  2. Request to have all your private information erased

Reduce Risk by Rethinking Data Management

To cycle out risk and mitigate vulnerabilities, organizations will need to engage a technology provider that helps reliably discover, inventory, and protect private information. While considering the IAPP safeguard steps, also consider the high level, technology-related guidance here, and be sure your service provider is proven to be able to help you:

  • Establish your data management policies according to the regulations that apply to your company
  • Discover and inventory your sensitive data in all repositories whether on-premises or in the cloud
  • Implement steps to remedy and respond to the Right of Erasure with technology that can mask, encrypt or hard-delete
  • Create flexible reporting capabilities to meet the needs of the different critical stakeholders
  • Institute data monitoring and automated alerts according to your policies
  • Specify what information is needed for your executive dashboards in order to nimbly manage where any intruders or attackers or internal violations may occur and take appropriate action
  • Establish data retention policies in order to minimize the amount of sensitive information your company holds throughout all its data repositories

The fact remains, organizations need to rethink their data management practices in order to stay ahead of the regulatory compliance curve. To learn more about rethinking data management practices, check out this 3-part blog series.