While General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) get a lot of attention, New York should not to be left out. In effect beginning on March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act (https://www.nysenate.gov/legislation/bills/2019/s5575) places additional security and privacy requirements on organizations that possess private information of New York residents, whether the organization is located in New York or not.
SHIELD defines personal information as “any information concerning a natural person which, because of name, number, personal mark, or other identifier can be used to identify such natural person”. Private information—the set of data that SHIELD requires organizations to protect—has a slightly more complex definition, but essentially consists of any of the following:
- Social Security number
- Driver’s license number
- Financial account or card number with PIN or passcode
- Financial account or card number only if PINs or passcodes are not required
- Biometric information
- Username or email address with password or security questions
SHIELD considers acquisition or access of private information to constitute a breach and has clear requirements for notification in the event of a breach. Breaches impacting any New York residents require notification to those residents, while breaches that impact more than 500 New York residents require businesses to notify the New York Attorney General within 10 days of the breach’s determination.
Penalties for non-compliance include liability for personal financial losses of impacted individuals, in addition to civil penalties between $5,000 and $250,000 if the non-compliance was found to be knowing and/or reckless.
To prevent those additional civil penalties, SHIELD requires organizations to “Develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, disposal of data.” The word “reasonable” can be challenging, but SHIELD goes on to describe security program requirements over three (3) general areas that will be familiar to anyone who has worked around Information Security programs: administrative safeguards, technical safeguards, and physical safeguards.
It is also important to note that small businesses as defined by the act (fewer than 50 employees, less than $3 million in revenue over the past three (3) years, and/or less than $5 million in total assets) may have different requirements.
- Designation of Information Security roles
- Regular Information Security control design assessments
- Information Security education and awareness program
- Third-party and vendor management program
- System and process change control
- Information Security Risk Assessment Processes
- Network and application security review and testing
- Information processing, transmission, and storage security review and testing
- Information Security logging and monitoring
- Incident Response program
- Regular testing of Information Security program and controls, systems, and procedures
- Risk Assessment of the storage and disposal of physical media containing in-scope data
- Detection and prevention of and response to physical intrusions
- Protection of physical media containing in-scope data during or after collection, transportation, and destruction
- Data retention and data destruction processes
As breaches continue to increase in frequency, it is likely that we will see additional legislation at both the state and federal levels. The good news is that from an Information Security program and assessment perspective, many privacy, data protection, and breach notification laws are based on best practice and have a lot of overlap. This means that existing standards-based best practice Information Security and privacy programs will only require a few minor adjustments in order to achieve compliance with New York SHIELD requirements.