This July, New York Governor Andrew Cuomo passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act to further protect state residents from data breaches.
So, what does that mean for New York State consumers? Better online protection, and legal assurances that companies you do business with are doing a better job protecting the information they collect from you.
And what does it mean for organizations that own or license computerized data that includes private information from NYS residents? Time to get to work and harden your computer systems – or face the consequences.
The SHIELD Act, which goes into effect on March 21, 2020, will protect NYS consumers by expanding the definition of “private information,” and by requiring entities around the world that process, transmit, and store that data to take “reasonable safeguards” to protect it.
Private information includes data like social security numbers, credit card numbers, driver’s license numbers, and now, biometric data like fingerprints and retinal scans will be included, as will the combination of usernames and passwords or security questions. This redefinition also changes when notifications are triggered, which means more breaches will be reportable and, therefore, more consumer/customer notifications will be required.
“Before the SHIELD Act, New York was an acquisition state,” says Michael McCartney, president of Avalon Cyber. “Meaning, businesses had an obligation to notify only when private electronic data was acquired. Now, as soon as that data is accessed, those businesses must notify the attorney general, as well as their customers.” He explains that, forensically, it’s difficult to prove with a high degree of certainty that data has been acquired during a breach, so often companies do not have to report the incident. Access, on the other hand, is much easier to determine, so this is a step in the right direction for protecting personally identifiable information.
But what does the term “reasonable safeguards” really mean? Well, according to the National Law Review:
“As with the notification requirements, the SHIELD Act requires that any person or business that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Again, businesses in compliance with laws like HIPAA and the GLBA are considered in compliance with this section of the law. Small businesses are subject to the reasonable safeguards requirement, however safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is considered any business with fewer than fifty employees, less than $3 million in gross annual revenue in each of the last 3 years, or less than $5 million in year-end total assets.
The law provides examples of practices that are considered reasonable administrative, technical and physical safeguards. For example, risk assessments, vulnerability assessments, penetration tests, continuous monitoring, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period, are all practices that qualify as reasonable safeguards under the law.”
So, if your organization does any business with New York State consumers, regardless of where you’re located, and it holds computerized private information, you need to step up your data protection game.
Here are a few actions you’ll need to add to your cybersecurity plan, if you haven’t already:
- Conducting risk assessments of your network, software design, and information processing, transmission, and storage
- Providing employee cybersecurity training
- Implementing measures to prevent, detect, and respond to intrusions
- Selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors
- Disposing of private electronic information within a reasonable time period
Now, you’re probably wondering, “Are there penalties for failing to comply with the SHIELD Act?” You betcha. Again, the National Law Review tells us that:
“The attorney general may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, the court may impose penalties of the greater of $5,000 dollars or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation.”
“Organizations,” concludes the National Law Review, “should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs (WISPs).”
Of course, to assist you with all of this, we suggest calling in the experts from Avalon Cyber to help. And, since this law is new and still open to interpretation, stay tuned to our blog for more updates on the SHIELD Act.