New York SHIELD Act
The New York SHIELD Act Builds on New York’s existing data breach notification law(s), which required notifications for two classes of information: personal information and private information. The SHIELD Act expands what is classified as private information, access to information is distinct from acquiring information, and is now classed as a data breach.
In November 2017, New York Attorney General Eric T. Schneiderman announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD). This proposed bill (S6933) is referred to as the ‘New York Data Security Act’.
SHIELD’s aim is to protect New Yorkers’ personal information from a growing number of data breaches, and to ensure they are notified when such breaches occur.
New York Governor Andrew Cuomo signed into the SHIELD Act on July 29, 2019. The Act takes effect on March 21, 2020.
Achieve immunity with ISO 27001 certification
SHIELD would create a safe harbor under which organizations compliant with ISO 27001 (and supported by the best-practice guidelines contained in ISO 27002) or NIST 800-53 would not be subject to prosecution by the Attorney General unless there is evidence of “willful misconduct, bad faith, or gross negligence”.
Find out more about ISO 27001 and ISO 27002 >>
The key changes proposed by the SHIELD Bill
Under SHIELD, organizations will have a legal responsibility to handle the sensitive data of New York residents in keeping with administrative, technical, and physical safeguards.
- Designating employees to coordinate a security program
- Identifying internal and external risks
- Assessing the sufficiency of safeguards to control risks
- Training employees in security practices
- Selecting capable service providers
- Adjusting the security program with changes in the business
- Assessing risks in software and network design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to incidents or system failure
- Testing and monitoring systems, controls, and procedures
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access or use of private information
- Reasonably disposing of private information after it is no longer needed
Who will the SHIELD Act apply to?
The SHIELD Act will apply to all companies handling the sensitive personal data of New York residents, whether they do business in New York or not.
However, smaller organizations receive slight leniency, in that they just need to apply ‘appropriate’ administrative, technical and physical safeguards, which can take the company’s size into account.
Penalties under SHIELD
Act applies to people and businesses that own or license computerised data of New York residents (it is no longer limited to businesses that conduct business in New York state).
If the breach is notified to the affected persons under a number of other laws, no separate notification is necessary, but the organisation must still inform the State Attorney General, Department of State and the relevant division of the state police.
You cannot make your notification by email if the email and authentication information (password and/or recovery information) were part of the breached information.
Fines for failed notifications are now $20 per instance rather than $10, with a total limit of $250,000 (up from $150,000)
Attorney General now has three years from discovering/being notified to take action rather than two, with an absolute limit of six years from discovery by the company itself unless the company tried to conceal it. This suggests that there is no statute of limitations for legal action if the company tries to hide that data has been breached.
Notifications to data subjects that may have been effected by a data breach must now include information about agencies that can help with identity theft protection, etc.
Speak to an expert
IT Governance has the information security expertise to help organizations achieve compliance with the international information security standard, ISO 27001, and it companion guidance, ISO 27002. Please contact our ISO 27001 team for advice and guidance on our products and services.