The SHIELD Act requires that businesses of all sizes assess their existing IT infrastructure, resources, devices, policies and access controls.
The New York SHIELD Act specifies that companies that handle, store, or use New York residents’ personal and private information are required to implement specific data security measures and to report any breaches within a timely manner (or risk facing enforcement from the state’s attorney general).
Important Deadlines: The Act requires the recording of data breaches starting on Oct. 23, 2019 and the deadline for adopting reasonable security measures isn’t until March 21, 2020.
When the Shield Act Applies:
The SHIELD Act applies to ANY person or business that owns or licenses computerized data, including a New York resident’s private information. The SHIELD Act expands New York law, extending protection of New York residents’ data, even when the person or business does not do business in New York.
Protected New York resident private information includes the following:
- Personal Information.
This refers to “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identity such natural person.”
- Private Information.
This includes a variety of information such as a person’s Social Security number, driver’s license or another ID card number, financial or account related information (such as credit cards), or biometric information that’s not encrypted or is encrypted “with an encryption key that has also been accessed or acquired.” It also includes users’ login info.
Breach Notification Amendments: Effective October 23, 2019
Currently, a breach is defined as the unauthorized acquisition of private information. Meaning the breach only needed to be reported if you were confident that information was taken.
The SHIELD Act expands the definition of a breach to include any unauthorized access to the information. This means that the unauthorized viewing of private information would be considered a breach and need to be reported to the Attorney General, even if there is no evidence that the data was actually extracted.
Shield Act Requirements
The SHIELD Act requires “reasonable” safeguards to protect New York residents’ private information. Specifically, the SHIELD Act requires any person or business holding a New York resident’s private information to develop, implement, and maintain “reasonable” administrative, technical, and physical safeguards to protect and securely dispose of New York residents’ private information.
To comply with the SHIELD Act you need to:
- Regularly Train Users
- Have Visibility of Vulnerabilities
- Implement a Control Framework
- Control & Limit User Access
- Review Private Information Storage & Disposal Processes
- Develop Incident Response and Disaster Recovery Plans
Entities that are already complying with existing New York (DFS for example) or federal data security requirements (including regulations under the Gramm-Leach-Bliley Act) may avoid the stiffest penalties under the SHIELD Act by showing that have been making a good faith effort to be secure.
If your organization does not have any state or federally regulated security requirements, iV4 recommends subscribing to a standardized security control framework, such as the CIS 20 Critical Controls.
If an operation fails to have “reasonable” administrative, technical, and physical safeguards to protect and securely dispose of New York residents’ private information, then the New York Attorney General may prosecute the offending conduct as an unfair business practice and may seek an injunction.
If a New York resident who is entitled to notification of an information disclosure doesn’t receive one but suffers losses or damages as a result of the disclosure, the court can award damages for actual costs or financial losses they incur. In addition:
"Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars”
Penalties of $5,000 might not be that serious. But $150,000 is enough to cause a small or midsize organization to close its doors.
iV4 can guide you through the requirements for complying to the SHIELD Act by implementing a standardized security control framework. Contact us to get started.