New York State's SHIELD Act Signed into Law

The SHIELD Act significantly expands New York State's breach notification law

On July 25, 2019, New York State Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), Update S5575B, which amends the state’s breach notification law, N.Y. Gen. Bus. Law § 899-aa. In general, the SHIELD Act expands the definitions of a breach and private information, and requires businesses to have controls in place for breach prevention.

The update to the breach notification law takes effect in March of 2020. At the same time, legislators in New York may once again take up consideration of the New York Privacy Act or similar legislation that would create new data privacy rights for New York residents and impose obligations on organization’s that process that personal information. Items in this SHIELD breach legislation may ultimately be superseded by that more expansive legislation.

Overview of the SHIELD Act

The SHIELD Act:

• Expands the definition of a breach
  • Whereas previously a breach was defined as unauthorized acquisition of private information, it is now defined as unauthorized access to private information
  • Defines "access" to include viewing, downloading, or copying private information
     
• Expands the definition of private information to include personal information (such as a New York resident’s name or any other data that can be used to identify a natural person in combination with a social security number and driver’s license), plus the following:
  • Credit or debit card numbers (without requiring the security code), that could be used to gain access to an individual’s bank account
  • The combination of username and passwords, or security questions and answers, that could be used to gain access to an individual’s online account
  • Biometric information, such as fingerprints or retina scans
     
• Expands the businesses the law applies to
  • Whereas previously the law applied only to entities conducting business in New York, now the law applies to any entity with private information about New York residents
     
• Requires “Reasonable Safeguards”
  • Businesses that own or license personal information of New York State residents are now required to implement “reasonable safeguards” preventing breach of that information
  • Safeguards include:
    • Assigning and designating one or more employees to implement a security program
    • Establishing and implementing a security training program
    • Testing and monitoring key controls on a regular basis
    • Disposing of private information after a reasonable time frame
       
• Expands exemptions
  • Businesses are not required to notify of a breach if it occurred inadvertently by a person authorized to access the private information, and if the exposure does not result in financial or emotional harm to the individuals whose data was breached
  • Businesses are not required to notify of a breach under this Act if they have notified of the same breach under a different breach notification regulation, such as the New York Division of Financial Services (NYDFS) Cybersecurity Regulation, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), or others
  • Small businesses may tailor their information security programs based on their size, the nature of their business and the sensitivity of their private information.
     
• Expands violation action period
  • The NY State Attorney general can bring an action against a company within three years of the violation (whereas previously it was two years).

ACA Guidance

The SHIELD Act provides substantial updates to New York State's data privacy regulations. The SHIELD Act requires companies to have comprehensive programming in place to prevent breaches, have training programs in place, and regularly monitor their controls for effectiveness. The SHIELD Act also significantly expands the definitions of a breach and private information, the companies the law applies to, and the reporting period.

We strongly recommend that companies:

• Review current data protection policies for gaps in adherence to the updated New York State breach notification law, as well as other data privacy regulations
• Develop controls and procedures to address data privacy risk
• Expand training and monitoring related to data privacy issues
• Monitor developments in the New York State Senate pertaining to the NY Data Privacy Act, with an eye on changes the act may necessitate in your organization

How We Help

ACA's data privacy compliance services help companies assess their readiness to comply with the requirements of the SHIELD Act and other data privacy regulations, including GDPR, CCPA, LGPD, HIPAA, and others. We can help you implement best practices for achieving broader privacy risk and compliance objectives across the enterprise. Please contact us to learn how we can help your company.

Contact Us

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com