Though many of you may have missed it for obvious reasons, the New York Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act became effective on March 21. In short, the SHIELD Act amended and strengthened New York’s data breach laws to include application to businesses outside of New York, impose security requirements, and otherwise expands prior New York law as follows:
- The definition of “Private Information” was broadened to include biometrics (i.e., fingerprints, voice prints, retina image), username/email addresses in combination with a password or security question/answer, financial account number, and credit/debit card number regardless of security code if account can be accessed/used with security code. Thus, a Breach involving Private Information now covers far more data than previously included.
- The definition of “Breach” was expanded to include any unauthorized access that compromises the confidentiality, security or integrity of Private Information. Certain examples are provided, and actual known acquisition of Private Information is no longer required. Thus, a Breach now covers far more and common scenarios and mere access is sufficient.
- The geographical scope of the SHIELD Act is expanded to cover any person/business that owns or licenses any information of any New York resident. Thus, the SHIELD Act is not limited to businesses located in New York or which conduct business in New York.
- Businesses or individuals to whom the SHIELD Act applies must now adopt reasonable security safeguards to protect the Private Information. These safeguards include the following:
- Designate employee to coordinate the security program and identify risks.
- Assess the sufficiency of safeguards in place to control the identified risks.
- Train employees in adequate security program practices and procedures.
- Select vendors which can maintain appropriate safeguards, and enforcing same via written contract.
- Update and adapt all of the above on a regular basis and as-needed.
- The Privacy by Design concept - assess risks in network and software design.
- Assess risks in information processing, transmission and storage.
- Prevent, detect and respond to any attack or system failure.
- Regularly test and monitor system controls and procedures.
- Assess risks of information storage and disposal.
- Prevent, detect and respond to any intrusion, unauthorized access to Private Information.
- Secure and timely disposal of Private Information.
Many businesses will find that they may already be contractually or legally bound to follow the requirements of the SHIELD Act independent of the Act itself as these requirements overlap in large part with best practices, the GDPR, the CCPA and many other regulatory schemes. Indeed, the SHIELD Act specifically notes that compliance with certain regulatory schemes by regulated businesses may substitute for some of the SHIELD Act requirements.
Though the SHIELD Act allows the Attorney General to pursue civil penalties (up to $5,000 per security violation, $20 per failed breach notification up to $250,000), the SHIELD Act does not provide a private cause of action. However, failure to comply with the SHIELD Act could still result in private causes of action as a result of: (a) breach of contract where an entity must comply with all applicable legal requirements; or (b) the SHIELD Act being held to be evidence of reasonable data protection and security practices where there is a data breach. Thus, the risk of non-compliance is not limited to that of potential civil penalties.
For more information or assistance, please contact Michael J. Feldman, Esq., at or 908-964-2486. As always, and in particular during these trying times, please also regularly visit https://www.olenderfeldman.com/blog/ for constantly updated and useful critical information on government action, legal changes, funding (loans, grants, etc.) opportunities and related matters in connection with COVID-19.