The New York Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, contains a reasonable security requirement that went into effect March 21, 2020.
Each person or business that owns or licenses computerized data that includes private information of a New York resident must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, without limitation, the disposal of data. N.Y. Gen. Bus. Law § 899-bb.2.(a).
What Constitutes Private Information?
Private information means personal information (any information concerning a natural person that, because of name, number, personal mark, or other identifier, can be used to identify such natural person) consisting of any information together with any of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted or is encrypted with an encryption key that has also been accessed or acquired.
social security number;
driver's license number or non-driver identification card number;
account number, credit or debit card number, together with any required security code, access code, password or other information that would permit access to an individual's financial account;
account number, credit or debit card number, if circumstances exist in which such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or
biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity;
N.Y. Gen. Bus. Law § 899-aa.1.(a)-(b).
Private information also includes a username or email address together with a password or security question and answer that would permit access to an online account. Id.
Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Id.
What Constitutes Reasonable Security?
A person or business that is not a compliant regulated entity (as more particularly described below) is deemed to comply with the SHIELD Act's reasonable security requirement if it implements a data security program that includes the following.
Reasonable administrative safeguards such as the following.
Designating one or more employees to coordinate the data security program
Training and managing employees in the data security program practices and procedures
Identifying reasonably foreseeable internal and external risks
Assessing the sufficiency of safeguards in place to control the identified risks
Selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract
Adjusting the security program in light of business changes or new circumstances
Reasonable technical safeguards such as the following.
Assessing risks in network and software design
Assessing risks in information processing, transmission, and storage
Detecting, preventing, and responding to attacks or system failure
Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Reasonable physical safeguards such as the following.
Assessing risks of information storage and disposal
Detecting, preventing, and responding to intrusions
Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
N.Y. Gen. Bus. Law § 899-bb.2.(b).
What Constitutes a Small Business?
The SHIELD Act defines a small business as any person or business with fewer than 50 employees, less than 3 million dollars in gross annual revenue in each of the last 3 fiscal years, or less than 5 million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles. N.Y. Gen. Bus. Law § 899-bb.1.(c).
A small business that is not a compliant regulated entity must implement a data security program that contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business' activities, and the sensitivity of the personal information that the small business collects from or about consumers. N.Y. Gen. Bus. Law § 899-bb.2.(c).
A person or business is deemed to comply with the SHIELD Act's reasonable security requirement if it is a compliant regulated entity, subject to, and in compliance with, any of the following data security requirements.
regulations promulgated pursuant to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to time;
regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended from time to time, and the Health Information Technology for Economic and Clinical Health Act, as amended from time to time;
part five hundred of title twenty-three of the official compilation of codes, rules, and regulations of the state of New York, as amended from time to time; or
any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission or agency or by the federal or New York state courts.
N.Y. Gen. Bus. Law § 899-bb.1.(a).
A person or business that fails to comply with the SHIELD Act's reasonable security requirement is deemed to have violated N.Y. Gen. Bus. Law § 349, and the New York attorney general may bring an action to enjoin such violations and to obtain civil penalties under N.Y. Gen. Bus. Law § 350-D. N.Y. Gen. Bus. Law § 899-bb.2.(d).
Finally, according to N.Y. Gen. Bus. Law § 899-bb.2.(e): "Nothing in this section shall create a private right of action."
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.