In late March 2020, all provisions of the New York SHIELD Act went into effect. This is New York’s amended data privacy and cybersecurity law. “SHIELD” is an acronym for Stop Hacks and Improve Electronic Data Security. Like many similar statutes recently enacted, the SHIELD Act not only applies to New York businesses, but also applies extraterritorially to any business that collects and stores data with respect to individuals living in New York. Thus, even non-New York businesses need to be aware of what the Act requires. Here is a quick overview of some of the more important features of the new Act.

What is New for Affected Businesses?

The SHIELD Act heightens and expands the statutory mandates with respect to the cybersecurity measures that a business must have in place to protect personal data from hackers, unauthorized access and other forms of malicious exfiltration. The Act also broadens New York’s data breach notification requirements.

One of the expanded requirements relates to disposal, deletion and destruction of data. The Act mandates that all businesses must prepare and implement “reasonable” policies and procedures to protect data. Those policies and procedures must now be expanded to protect data that is being deleted and equipment that is being disposed/destroyed. The Act also now requires that all companies that collect personal data must designate a data security officer (an individual or small group).The data security officer is to be tasked with implementation and oversight of data security protocols and with the responsibility to lead the team that is designated to respond to any breach or attempted breach.

Businesses are considered in compliance with the Act if the policies and procedures implements comply with the safeguards listed in the statute. For example, with respect to administrative safeguards, companies need to appoint their data security officer, identify and guard against foreseeable external and insider risks, provide training and more. With respect to technical safeguards, companies must have proper and state-of the art software and hardware, must have programs and tools designed to detect efforts at unauthorized access, must regularly update systems against new threats and more. Reasonable physical safeguards must also be in place to prevent physical theft and unauthorized access to or use of confidential data. A new provision also mandates businesses must remove or delete private information “within a reasonable amount of time” after information is no longer needed. As noted, reasonable security measures must be in place for data destruction to ensure that the data cannot be read or reconstructed.

What is the Expanded Definition of Personal Information?

The new Act broadens the definition of “personal information” (now designated as “private information”) to cover biometric data, email addresses, passwords, other account security information and “health information.” This brings New York into line with other states like California and Illinois that recognize a much broader definition of privacy data and information. The new definition still retains the old list of personally identifiable information such as names, addresses, social security and driver’s license numbers, credit/debit card information, financial account numbers, etc.

How Has Breach Notification Been Expanded?

Notification of a “breach” is now required where there has been unauthorized access. Under the old breach notification provisions, some sort of exfiltration or “taking” of the data was needed before the notice requirement was triggered. Now, notice can be triggered by unauthorized access of private information even if there is no evidence or indication of use, alteration, copying or other taking of the information.

How does the SHIELD Act compare with the GDPR and the California Consumer Privacy Act (CCPA)?

In general, the SHIELD Act does not go beyond any mandates found in the European Union’s General Data Protection Regulation or the California Consumer Privacy Act. Thus, if businesses are in compliance with those statutes, then businesses should be in compliance with the SHIELD Act.

Does the SHIELD Act Have a Private Right of Action?

No, nothing has changed in this respect. Enforcement of the Act remains with the New York Attorney General’s Office.

Contact Us Today

For more information about the SHIELD Act or if you have legal questions about data security or how to respond to a data breach, contact the data security lawyers at Revision Legal at 231-714-0100.