The Law in question is 23 NYCRR Part 500, also referred to as the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). Passed back in 2017, the state regulation, a first of its kind in the nation, sets comprehensive cybersecurity compliance requirements for all licensed entities that operate under New York Banking, Insurance, Financial Services and Credit Reporting Agency laws. The regulations were intended to “promote the protection of customer information as well as the information technology systems of regulated entities.” Subject to limited exemptions, the regulations require covered entities to implement an enterprise-wide Cybersecurity Program, policies and procedures to address and mitigate this risk.
What does the Act protect?
The act protects Private Information. Private information requires a combination of personal information and a listed data element identifier such as social security number, driver’s license number, financial account numbers, biometric information, username, or e-mail address. If any of these data element identifiers are capable of being connected to personal info like name or address, then it becomes Private Information and falls under the law.
Who does it apply to?
The Act applies to ‘Covered Entities’, which are defined to include organizations operating under a license or registration under the New York Banking Law, Insurance Law or Financial Services Law. (Credit Reporting Laws were added a year later) The Act also specifically calls out ‘Authorized Users and Third-Party Service Providers (TPSPs)’. These include anyone that is authorized to access or use a Covered Entity’s information systems and data. That is a very wide net and why it doesn’t matter whether you are in New York or Alaska, if you are even tangentially related to the private information of a NY resident then you need to check with a lawyer that you are abiding by this Act.
There are, however, certain limited exceptions from the act that apply to smaller operations; specifically, 1) those that have less than 10 employees in the state of NY, or 2) earn less than $5 mil in gross revenue in each of the last three years, or 3) earn less than $10mil in year-end total assets. Take note of the ‘OR’s there, you don’t need all three, if ANY of those apply to you then you are exempt from certain portions of the Act.
What does the Act require?
The principal requirements of the regulation are 1) the establishment of a cybersecurity program and 2) appointment of a Chief Information Security Officer to oversee that program. The program must be capable of:
- Identifying internal and external cyber risks.
- Using defensive infrastructure and policies and procedures in concert to protect information.
- Detecting cybersecurity events.
- Responding to identified or detected cybersecurity events to mitigate any effects.
- Recovering from cybersecurity events and restore normal operation.
- Fulfill any reporting requirements such as notifying NY within 72 hours of a suspected breach.
Overall, and what really separates this act from its counterparts, is the focus on risk assessment and being proactive about cyber security. The Act really does leave the specifics on how to implement these goals open to the judgement of each business (except for Multi-Factor Authentication which the Act specifically requires), NY just wants you to have a program in place to defensively protect private information rather than a reactionary plan for when a breach occurs.
What do the penalties look like?
In 2021 NY has aggressively pursued Covered Entities that fail to comply with the Act, including assessing several millions of dollars in fines and penalties.
In March 2021, NY imposed a $1.5 million fine on a Portland, Maine licensed mortgage banker for failing to notify the regulator of a breach. A routine examination by the regulator uncovered evidence that a breach occurred in 2019 involving unauthorized access to an employee’s email account containing large amounts of the sensitive personal data of mortgage loan applicants. The company was found liable for violating the Act in failing to timely report the breach and failing to conduct a comprehensive Cybersecurity Risk Assessment.
In April, NY imposed a $3 million fine on an NY based insurance company for its failure to implement Multi-Factor Authentication, timely report two separate Cybersecurity Events, and falsely certifying compliance with the Act. And in May, NY imposed a $1.8 million fine on two life insurance companies based on the failure to implement Multi-Factor Authentication and falsely certifying compliance with the Act.
The SHIELD Act will have far-reaching effects, as any business that holds private information of a NY resident, must comply the Act. This Act also shows how seriously NY, like other states across the nation, is taking privacy and data security matters. Regardless of where you are in the country, you should be assessing and reviewing your data breach prevention and response activities and consulting a knowledgeable attorney about complying with the SHIELD Act.
If you have legal questions about SHIELD Act compliance, contact Revision Legal at 231-714-0100.