In 2019, New York gained a new consumer privacy law aptly named the Stop Hacks and Improve Electronic Data Security Act - but it is more popularly known by its acronym, the Shield Act. The Shield Act is New York's strongest consumer information privacy protection legislation to date.
Let's look at the changes it brings.
When does the SHIELD ACT go into effect?
Governor Cuomo of New York signed the Shield Act into law on July 25, 2019, but the law's data protection provisions were delayed 240 days after the signing so that it goes into effect on March 21, 2020. The breach notification provisions took effect on October 23, 2019.
What does the SHIELD ACT do?
The law expands its jurisdiction to businesses, employers, individuals, or organizations that collect sensitive personal information on New York residents. The law changes the data collection rules to apply to any business anywhere that collects personal information on New York State residents. The prior law only applied to companies doing business in the state.
Shield also modified the definition of a breach to mean any instance where an unauthorized business, person or organization gained access to a consumer's private information. It also strengthens the notification requirements for privacy breaches. The prior law defined a breach in terms of acquiring private information. It's an important change because the breach triggers a notification to the consumer that someone gained access to his personal information rather than acquiring his information.
What kinds of personal information are we talking about?
Shield broadens the protected classes of information that require notification to the consumer in the event of a breach:
- bio metric information, such as retina scans, fingerprints, voice prints, and iris images;
- user names, email addresses, passwords, security questions, and answers;
- Social Security numbers;
- driver's license numbers or state-issued identification card numbers; and
- debit, credit card, and financial account numbers and passwords and security codes.
What businesses are covered under the SHIELD Act?
If a business has customers in New York State, the business must comply with the Shield Act. That's true whether the business resides locally in New York State or its location is in another country. In that sense, this new law's reach is like the extended reach of the EU's General Data Protection Regulation (GDPR). It also means that a company that has one New York customer must comply with the stringent law unless otherwise excepted.
Is any business exempt from the SHIELD ACT?
The law recognizes that some businesses can meet a "reasonable safeguards" threshold. They are businesses with less than 50 employees or that earn less than $3 million in each of the last three years or have less than $5 million in total year-end assets. The reasonable safeguard standard means that the company has data safeguards appropriate for its size and type of business, the business' ambit, and the type of sensitive personal information that it collects.
What consumers does the SHIELD ACT cover?
At its foundation, the Shield Act covers all New York residents. Large corporations with many customers and employees in several states, however, will most likely extend the Shield Act privacy rules across the board rather than face compliance with different rules for different states.
In addition, New York is not the only state to have passed its own privacy protection rules. California has also passed a tough privacy act called the California Consumer Privacy Act. Rhode Island and Massachusetts also passed privacy act laws for their jurisdictions. Employers with employees and/or consumers in more than one state will want to analyze the differences and may choose to pick the law with the strongest protections and follow that law for all states.
One more wrinkle: New York will consider companies in compliance with the Shield Act if they already comply with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) Security Rules, or the New York State Department of Financial Services' Cyber security rules for Financial Services Companies.
What should employers do for the shield act?
The Shield Act lays out general principles that employers must meet rather than stipulating exactly worded provisions that must be adopted. Those guiding principles are:
- Design a company data security program in line with the Shield Act
- Appoint a management-level person or persons responsible to run the company's data security program
- Carry out systematic and periodic determinations of security risks in personal consumer information protocols, software, networks, and information processing
- Make changes to control/mitigate the security risks found
- Create a training program to help employees learn/maintain security protocols that include how to identify and circumvent phishing scams
- Make sure all vendors comply with Shield Act provisions and include the compliance demand in written hiring contracts
- Create protocols for the disposal of personal consumer information after data retention periods expire
- Maintain safeguards for detection, prevention and swift responses to network intrusions
- Create and maintain protections against unauthorized access to personal consumer information during data collection and until destroyed under the data retention policy.
How is the shield act enforced and are there penalties?
The State Attorney General has the responsibility for enforcement of the Shield Act. Consumers do not have a private right of action under the law. The Attorney General may seek injunctive relief and civil penalty penalties to a maximum of $5,000 per breach. If a breach affects more than 500 New York residents, the company must notify the Attorney General within 10 days of the breach and there are increased penalties for notification breaches.
As of August 2019, the New York Attorney General had assessed penalties exceeding $600 million for data breaches based on the law in effect before the Shield Act.
To learn more about privacy and cyber security issues expected in 2020, read the natlawreview.com article from January 2020 entitled "Privacy & Cybersecurity Issues to Watch in 2020: Happy Privacy Day!"
To talk to one of our experts about this topic, or any other issue, please contact us.
Make us your resource for all your IT questions. We are happy to help you keep your business secure.