A $250,000 fine could be a very painful way to find out you don’t comply
In a little over a month, the new data security provisions of the New York Shield Act take effect. As we have covered in the past, NY Shield Act changes took place on October 23, 2019. Specifically, New York’s data breach notification statute changed to provide updated definitions and additional coverage.
On March 21, 2020, new data security protections come into effect.
SHIELD stands for Stop Hacks and Improve Electronic Data Security Act and was inspired by government and legal action against Equifax which ultimately cost the company billions of dollars.
The law is moving along quickly – likely faster than most companies are aware of. The Act, 2019 N.Y. Ch. 117, which was signed into law by Governor Cuomo on July 25, 2019, modifies existing data breach law to expand the definition of “Private Information” and imposes new substantive cybersecurity requirements.
On March 21st, organizations must adopt cybersecurity programs reminiscent of the Written Information Security Program (WISP) required under Massachusetts law for entities that own or license the personal information of Massachusetts residents. Additionally, with the SHIELD Act’s coverage extending to biometric data, New York joins the handful of states that have acted in this area (the others being Illinois, Texas and Washington).
With a few exceptions, the cybersecurity provisions of the SHIELD Act mandates that any person or business that owns or licenses the computerized Private Information of any New York resident, which is broadly defined to encompass a range of information that could be used to identify a person when combined with other statutorily specified data elements, to maintain reasonable safeguards to protect this information. More on this later.
The SHIELD Act applies to all organizations that process the Private Information of New York residents, regardless of whether the organizations are domiciled in New York State. Notably, there is no minimum threshold for the statute to apply – meaning that the Private Information of even a single New York resident triggers the SHIELD Act’s provisions.
The SHIELD Act amends the definition of “private information” to include three new types of personal information that are covered by the law:
- Account number, credit or debit card number, even without additional identifying information or a password
- Biometric information, such as an individual’s fingerprint, voice print, or retina image
- User name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Data Breach has a new definition as well
Breach was defined as the unauthorized acquisition of personal information but will now have occurred if there was the acquisition of, or access to, private information.
When evaluating whether access occurred, the Act provides that a business may consider “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
Similar to GDPR, the SHIELD Act now has global implications
The old New York data breach law applied to any “person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information…” The Act has removed the “conducts business in New York state” requirement. Now, regardless of whether the person or business is conducting business in New York, the SHIELD Act applies to those who possess private information for a New York resident.
This is similar to the EU’s GDPR regulation.
There are new data breach notification requirements
The Act now provides that notice to affected persons is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines that such exposure will not likely result in misuse of such information or cause financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials. If this exception applies, the person or business must document the determination and maintain the documentation for at least five years. If the incident affects more than five hundred New York residents, the written determination must be provided to the New York Attorney General within ten days after the determination.
For those business who are required to comply with data breach requirements under laws such as Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Gramm-Leach-Bliley Act, additional notifications are not required to be issued to impacted New York residents. However, these businesses are required to notify the New York Attorney General, the New York Department of State, and the New York Division of State Police.
The SHIELD Act also requires that breach notifications include the telephone numbers and websites of the relevant New York State and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
Reasonable safeguards or security requirement is generally defined as follows:
Organizations need to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” The reasonable safeguards require any applicable person or business (i) to be in compliance with laws such as HIPAA or the Gramm-Leach-Bliley Act or (ii) to implement a data security program that includes the following:
Reasonable administrative safeguards such as the following, in which the person or business:
(1) Designates one or more employees to coordinate the security program;
(2) Identifies reasonably foreseeable internal and external risks;
(3) Assesses the sufficiency of safeguards in place to control the identified risks;
(4) Trains and manages employees in the security program practices and procedures;
(5) Selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and
(6) Adjusts the security program in light of business changes or new circumstances; and
Reasonable technical safeguards such as the following, in which the person or business:
(1) Assesses risks in network and software design;
(2) Assesses risks in information processing, transmission and storage;
(3) Detects, prevents and responds to attacks or system failures; and
(4) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
Reasonable physical safeguards such as the following, in which the person or business:
(1) Assesses risks of information storage and disposal;
(2) Detects, prevents and responds to intrusions;
(3) Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
While small businesses are subject to the reasonable security requirement, the SHIELD Act provides that these safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” The Act considers a small business to be one that has less than fifty employees; less than $3 million in gross annual revenue in each of the last three fiscal years; or less than $5 million in year-end total assets.
Summing it all up. If a small business is breached, according to IBM, the cost is typically a staggering $2.5 million. It can be in the billions like in the case of a large company like Equifax. On top of this cost, the New York Shield Act specifies the following:
Reckless violations can cause a fine of up to $250,000.
The per-record beach fine is $20 and is capped at 12,500 records.
There is no magic bullet but it helps to get an outside firm to examine your systems and hopefully find any issues before the hackers do.
For quality, reliable IT service, cybersecurity and tech support in Manhattan, New York, Connecticut and beyond, contact 5-star and award-winning Apex Technology Services and keep your organization protected. Please contact us for more information and learn how we can help your organization stay secure.