The New York SHIELD Act (also known as the “Stop Hacks and Electronic Data Security Act”) went into effect on January 1, 2020, and it is one of the strictest cybersecurity laws in the country. The law aims to enhance the protection of consumers’ private information – beyond the current state and federal regulatory framework. It is of particular relevance to the security industry, given the amount of private and sensitive data maintained by companies providing security products and services.
What the Law Mandates
The law extends not only to New York-based businesses that collect private data of New York residents, but also to any company that does business within the state and collects private data of New York residents. Although the law is now in effect, organizations subject to the SHIELD Act have a 240-day grace period to comply, meaning compliance by March 21.
Also, the law expands the definition of a security breach. Previously, a consumer had to be notified only when their private data was stolen or acquired by an unauthorized party; however, under the SHIELD Act, a security breach requiring notification to the consumer is deemed to have occurred where an unauthorized party gains access to the data – not just when it steals or acquires the data. Inherently, this will result is more security incidents and, therefore, more obligatory notifications to consumers.
The concept of private data (or personally identifiable information) is expanded to include biometric information resulting from facial recognition software or other means, email addresses and their passwords (as well as security questions and answers), Social Security numbers, driver’s license or other ID card numbers and any account number including debit and credit card information. This enlarged data set imposes a greater burden on companies and is especially meaningful for security companies that gather and store certain sensitive data, such as biometric data, passcodes, etc.
No matter where your business resides, if you have at least one New York customer, then you must comply with the law. Suppose your business stores the private data of New York consumers, but you have thousands or millions of other customers from states around the country. Since it is impractical for a business to devise privacy policies specifically for New York customers only, the likelihood is that the SHIELD Act will compel businesses to create compliant privacy policies for all customers, regardless of the customer’s state (or country) of residence.
Fines for non-compliance can reach $250,000. Historically, negative press has led to underreporting of breaches; however, the law seeks to impose heavy penalties for non-disclosure.
How to Comply
The law identifies a number of steps that businesses must take to ensure compliance:
1. A company should implement reasonable safeguards, such as identifying risks to data security, selecting appropriate vendors and limiting access to private data. The SHIELD Act does not mandate specific safeguards; rather, it provides that a business will “be deemed to be in compliance” if it implements a data security program that includes all of the elements enumerated in the SHIELD Act.
2. A company should formally designate or hire an employee to coordinate the security program. This person should conduct risk assessments, implement safeguards and otherwise manage compliance with the law. This person also should be responsible for reporting any breaches to appropriate authorities – particularly the New York State Attorney General’s office. Additionally, now is the time to assemble a team of outside legal counsel and expert IT personnel to ensure compliance.
3. A company should regularly update software, hardware and other information systems. Stay current on the latest security trends, and take an active, not a reactive, role.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].
