New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act: Just the Basics
New York’s “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act went into effect on March 21, 2020. This modification to New York’s existing data security law requires any person or business that controls or processes electronic records containing “private information” of New York residents – regardless of whether business is conducted in New York – to adopt reasonable safeguards to protect the security, integrity, and confidentiality of that information.
What information must be protected?
Private information is defined as personal information plus one or more of a defined set of data elements when the data element is not encrypted, either alone or in combination with personal information, or when the encryption key has also been compromised. Data elements include:
- Social Security number
- Driver’s license number or non-driver ID number
- Financial account information: credit, debit, or account number (if that information could be used to access a financial account without additional identifying information, security code, access code, or password)
- Biometric information
Private information also includes a username or email address in combination with a password or security question and answer that would allow access to an online account. Excluded is information that is lawfully publicly available through federal, state, or local government records.
Penalties for non-compliance
The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000.
SHIELD Act security program requirements
According to the act, security programs must include…
- Reasonable administrative safeguards
- Assign designated security program coordinator(s)
- Identify “reasonably foreseeable” internal and external risks
- Assess current safeguards to control identified risks
- Train and manage employees in the security program’s practices and procedures
- Select service providers who are capable of maintaining appropriate safeguards, and require those safeguards as part of the contract
- Adjust the security program in light of business changes or new circumstances
- Reasonable technical safeguards
- Assess risks in network and software design, and in information processing, transmission, and storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of key controls
- Reasonable physical safeguards
- Assess risks in storage and disposal of information
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Dispose of private information within a reasonable timeframe and in a manner appropriate for electronic media
InsightThe EU-US Privacy Shield is history. What happens next?Bhavesh Vadhani, Deborah Nitka, Daryouche BehboudiU.S. companies now must reassess their exposure to EU data privacy laws and consider alternate mechanisms such as standard contractual clauses (SCCs). Read more.
InsightFINANCIAL SERVICES: Key cybersecurity and privacy risks for firms shifting to remote-work modelsAs financial services firms go remote amid COVID-19, know the risks – scams, compromised data, compliance issues, and more – and steps you can take against them.
InsightREAL ESTATE: Effective data privacy: Improving customer trust in the COVID-19 eraRead about new cybersecurity and data privacy risks that commercial real estate firms face as they introduce technologies to facilitate reopening and remote work.
InsightCybersecurity insurers have augmented risk assessments amid the COVID-19 pandemic. You should, too.Shahryar ShaghaghiAs insurers add new measures to get a better read on businesses’ risks, learn how to assess and handle yours, especially those related to remote-work programs.