The SHIELD Act - What it means for us

The SHIELD Act, Stop Hacks and Improve Electronic Data Security Act (S.5575B/A.5635), was signed in to New York State law by Governor Cuomo on July 25, 2019. This legislation essentially recognizes that cybersecurity needs to be regulated, and that constituents need protection from the careless use, or storage of their personal information.
The law does not address in detail many of the complexities related to digital identities and transactions, but it provides broad definitions that allow for punitive measures to be taken when egregious or reckless behavior was at cause.

It carefully avoids putting undue burden on businesses before problems occur, meaning that specific compliance requirements and mandatory audits are not defined as part of the law. However, SHIELD does require businesses (and other entities) which digitally store the personal information of New York State residents to implement reasonable data security safeguards, including: designating cybersecurity personnel, implementing adequate controls for the protection of personal data, employee training concerning cybersecurity, and documentation of policies practices and procedures.

The legislation’s language is not exactly specific and does not require things like all social security numbers to be stored and transferred in an encrypted format. Instead it leaves some detail open to interpretation such as letting businesses choose what is a reasonable safeguard based on the business’s own size and limitations.

Perhaps most importantly, the SHIELD Act brings an awareness to the need for businesses to have a cybersecurity plan and to protect private information. The Act empowers the state to take punitive action against businesses that are breached and that have been reckless by not having taken the loosely specified “reasonable” measures to protect the personal information they record.

Here are some of the salient takeaways:

• Expanded definition of personal information in addition to social security and driver’s license numbers, birth dates, etc.. to include biometric data, such as fingerprints, retinal scanning data, or any other “electronic measurements of an individual’s unique physical characteristics” as well as individuals’ usernames, email addresses, passwords and security questions and answers which can provide access to online accounts

• Stronger obligations on businesses handling private information

• Expansion of the definition of a data breach to include unauthorized access to private information

• Updated notification requirements when private information security has been breached: “Any person or business which [conducts business in New York state, and which] owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, ACCESSED OR acquired by a person without valid authorization.” and to notify affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”.

• Requirement for businesses and other entities which digitally store the personal information of New York State residents to implement reasonable data security safeguard requirements, including designating cybersecurity personnel and implementing adequate controls for the protection of personal data, employee training concerning cybersecurity policies, practices and procedures.

The SHIELD Act will impose fines of $5,000 per violation, or $20 per notification failure with a limit of $250,000 per breach.

The law went into effect on March 21, 2020.