The NYS Shield Act
In 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act expands data security and breach notification requirements to cover all businesses that collect private data from New York residents.
Breach Notification Changes
Notifications now must be provided to any New York resident whose private information was accessed by an unauthorized entity, regardless of whether the business itself resides in New York State. Where a breach impacts more than 5,000 New York State residents, the breach victim must also provide notice to consumer reporting agencies.
The SHIELD Act defines private information as personal information, meaning any information concerning a natural person which can be used to identify such natural person, in combination with any one or more of the following:
- Social security number
- Driver’s license (or non-driver identification) number
- Account number, credit or debit card number, in combination with any required security code, access code, password, or other information that would permit access to an individual’s financial account
- Account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password
- Biometric information
- Username or email address in combination with a password or security question and answer
Notifications may come in various forms. The notification methods available must be one of the following methods:
- written notice
- Electronic notice, after receiving consent from the individual to be notified. This notification must be logged.
- Telephone notification may be used. This notification action must be logged.
If the cost of providing notice will exceed $250,000 the options available for notification will differ.
- Email notice, except if it is determined that the email account may have been breached due to the aforementioned breach.
- Conspicuous post of a notice on the business’s website.
- Notification of major statewide media.
Data Security Protection Changes
The SHIELD Act requires “Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” For organizations not already compliant with the Gramm-Leach-Bliley Act, HIPAA, 23 NYCRR 500, or another New York State or federal data security regulation, you must implement a data security program that includes reasonable administrative, technical, and physical safeguards.
Data Notification Penalties
The SHIELD Act defines civil penalties that may arise from a failure to follow the proper notification process. The decision to levy civil penalties in relation to the SHIELD Act is at the discretion of The New York State Attorney General. The civil penalties are a minimum of $5,000 or $20 per instance of failed notification. The aforementioned civil penalties shall not exceed $250,000.
The SHIELD Act also empowers courts to restrain the continuation of violation of the notification requirements. The court may also award damages for actual costs or losses incurred by a person entitled to notice. These losses also include consequential financial losses.
Effective Dates
The SHIELD Act was signed into law on July 25, 2019. The notification requirement came into effect on June 3, 2019. The reasonable technical safeguards requirement will come into effect on March 21, 2020.
For more information on the NYS Shield Act contact us today