The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act (“the Act”) was incorporated into New York State law in July 2019. Major provisions of the Act went into effect March 2020 shared around that time and you missed the news, this article provides an overview of the purpose, scope of the SHIELD Act, who is subject to it, what it requires, and the possible consequences of non-compliance.
The SHIELD Act aims to protect New Yorkers’ online private information by requiring companies to notify anyone whose private information they are holding if they experience a cybersecurity breach. She also calls for preventive safety precautions to be taken in order to avoid violations in the first place. The act updates and changes the Information Security Act of 2005 to underpin previously applicable requirements and provide additional protection. It applies to most companies that store personal information about customers, employees, suppliers or other people.
What is private information?
If your company holds “private information” from residents of New York State, it is likely subject to the requirements of the SHIELD Act. The definition of private information is expanded to include “which, based on name, number, personal identifier or other identifiers, can be used to identify the person to whom they belong, stored in combination with: biometric information (e.g. fingerprint ), Voice print, retinal or iris image), user names or email addresses in combination with passwords or security questions and answers, account numbers, credit / debit card numbers (with or without security code), access codes and passwords. Basically, the law aims to ensure that any company that stores information that a wrongdoer could use to access sensitive accounts owned by New Yorkers be subject to its requirements.
Required security programs
The law requires that the affected facilities have certain cybersecurity measures in place. These are referred to in the law as the “cybersecurity program”. Your cybersecurity program should be documented so that you can demonstrate to a regulator or law enforcement officer that it exists. The cybersecurity program must protect the “security, confidentiality, and integrity” of individuals’ private information. It must contain (additional space) certain administrative, technical and physical safeguards: identification of reasonably foreseeable internal and external risks; periodically reviewing and monitoring the effectiveness of key controls, systems and procedures; and the disposal of private information after it is no longer needed for business purposes so that it cannot be read or reconstructed.
The law requires that in the event of a data breach that compromises private information, a company must disclose the breach to any potentially affected New Yorker. Disclosure must be made immediately once the company detects the breach, and in (a) a manner that meets the legitimate needs of law enforcement.
the law extends the definition of a data breach to any access or acquisition of computerized data that compromises the security, confidentiality or integrity of private information. Examples of access include viewing, copying, or downloading private information. If your company suffers a breach, it must also notify the New York State Attorney General (“AG”), the New York State Department of State, and the State Police Department. If more than 5,000 residents of New York State are affected, you must also inform consumer reporting agencies of the timing, content and distribution of the notices and the approximate number of people affected. Notifiable entities under the Health Insurance Portability and Accountability Act of 1996 or the Health Information Technology for Economic and Clinical Health Act are now also notifiable.
The action requires notification in writing or by telephone. It can only be emailed if the individuals consented to the email notification being breached. Alternate notification methods are acceptable if the cost of providing the notification would exceed $ 250,000 or the number of people to be notified exceeds 500,000.
Some of the burdens imposed by the SHIELD Act will be reduced on “small businesses”. By law, small businesses are those with fewer than 50 employees, less than $ 3 million in gross revenue in each of the last three fiscal years, or less than $ 5 million in total assets.
Small businesses will comply with the law if their security program includes adequate administrative, technical, and physical safeguards appropriate to the size and complexity of the small business, the scope of their business, and the sensitivity of the personal information collected. Exactly what this means is for the judges to decide, but if your small business is storing private information, it is wise to be on the side of a more proactive cybersecurity program.
If a company violates the SHIELD Act, the AG can apply for injunctive relief (enforce compliance or closure), redress (compensation for victims) or penalties. Failure to provide timely notification could result in a penalty of up to $ 20 per failed notification, up to $ 250,000 per person you failed to notify. The penalty for failure to comply with adequate safeguards is up to US $ 5,000 per violation.
Your organization’s obligations under the SHIELD Act are based on its circumstances. Compliance can be facilitated by the advice of an experienced legal advisor. Please contact lawyers or Justin Furry
Christopher Baiamonte of the Wladis Law Office at (315) 445-1700 with questions about anything in this article.
As an Amazon partner, I earn from qualified purchases.
Comments are closed.