The New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act
What is the New York SHIELD Act?
The New York SHIELD Act serves two main functions:
- Building on the breach notification requirements of General Business Law §899-AA and expanding its definition of private information.
- Creating a new section, §899-BB, which requires any person or business that owns or licenses computerized data that includes the private information of a New York resident to “develop, implement and maintain reasonable safeguards” to protect it.
What are the SHIELD Act’s data breach notification requirements?
The data breach notification part of the Act, amending New York General Business Laws, Article 39F, Section 899-AA, takes effect on October 23, 2019. It builds on the existing data breach notification law by:
- Expanding the definition of ‘private information’ so that it now includes
- Personal information (“information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person”) combined with one or more of the following data elements:
- Social Security number
- Driver’s license number or non-driver identification card number
- Account number, or credit or debit card number, in combination with any required security code, access code, password, or other information that would permit access to an individual’s financial account
- Account number, or credit or debit card number, if it is possible the number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password
- Biometric information or other unique physical representation or digital representation of biometric data that are used to authenticate or ascertain the individual’s identity
- A username or email address in combination with a password or security question and answer that would permit access to an online account
- Extending the definition of a breach to include unauthorized access to private information as well as unauthorized acquisition
- Increasing the scope of the statute to include any person or business – irrespective of whether they conduct business in New York state – that owns or licenses computerized data that includes the private information of a New York resident
New York state residents whose private information has been, or is reasonably believed to have been, accessed or acquired by a person without valid authorization must be notified as soon as possible and without unreasonable delay, using one or more of four methods:
- Written notice
- Electronic notice (unless the security of the email was breached)
- Substitute notice if more than 500,000 people were affected
Notification must include all of the following:
- Contact information for the person or business making the notification
- The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information
- A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired without valid authorization, including specifying which elements of personal information and private information were, or are reasonably believed to have been, accessed or acquired
Notification is not required for accidental disclosure by individuals who were authorized to access it if the business “reasonably determines such exposure will not likely result in misuse”, or financial or emotional harm.
If the business fails to make the required notice, the New York Attorney General can bring an action for an injunction. The court may impose a civil penalty of the greater of $5000 or up to $20 per instance of failed notification, up to a maximum of $250,000.
Not all organizations are subject to New York state’s breach notification statute. The SHIELD Act exempts organizations that are subject to U.S. federal laws and NY state laws that already require data breach notification, such as HIPAA (the Health Insurance Portability and Accountability Act) and the GLBA (Gramm-Leach-Bliley Act).
What are the information security requirements?
The cybersecurity part of the Act takes effect on March 21, 2020. It adds a new section to the General Business Law – New York General Business Laws, Article 39F, Section 899-BB – that requires any person or business that owns or licenses computerized data that includes New York residents’ private information to “develop, implement and maintain reasonable safeguards” to protect its security, confidentiality, and integrity.
Organizations will be deemed to comply with these requirements if they:
- Are subject to and comply with the GLBA, HIPAA, the NYDFS Cybersecurity Requirements for Financial Services Companies, or any other data security rules and regulations of, and the statutes administered by, any official department, division, commission, or agency of the federal or New York state government; or
- Implement a data security program that includes reasonable administrative technical and physical safeguards, such as:
- Designating employees to coordinate a security program
- Identifying internal and external risks
- Assessing the sufficiency of safeguards to control risks
- Training employees in security practices
- Selecting secure service providers
- Adjusting the security program with changes in the business
- Assessing risks in software and network design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to incidents or system failure
- Testing and monitoring systems, controls, and procedures
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access or use of private information
- Disposing of private information after it is no longer needed
Meeting your SHIELD Act obligations
Complying with the information security aspect of SHIELD can be best achieved with the international standard ISO 27001 and its code of practice ISO 27002, or with NIST SP 800-53.
ISO 27001 sets out the requirements for an ISMS (information security management system), an organization-wide approach to information security that encompasses people, processes, and technology, and can be aligned with the SHIELD Act, as well as a host of other laws, including the CCPA (California Consumer Privacy Act) and the EU’s GDPR (General Data Protection Regulation).
Independently audited certification to the Standard is accepted around the world as proof that an organization has implemented and maintains information security best practice.
If ISO 27001 certification is achieved, any cybersecurity breach would not be subject to prosecution by the attorney general under the SHIELD Act unless there is evidence of “willful misconduct, bad faith, or gross negligence” on the part of the business that processes the information.
Find out more about ISO 27001 and ISO 27002 >>
Speak to an expert
IT Governance has the information security expertise to help organizations achieve compliance with ISO 27001 and its companion guidance, ISO 27002. Please contact our ISO 27001 team for advice and guidance on our products and services.