New York’s SHIELD Act could change companies’ security practices nationwide

The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York State bill signed into law last July. One key provision in the legislation that could significantly change security practices across the country is slated to go into effect March 21, possibly inducing companies big and small to change the way they secure and transmit not only New Yorkers’ private data but all consumers’ sensitive information.

Technically an amendment to the state’s data breach notification law, the SHIELD Act could have as much of an impact on internet and tech companies’ privacy and security practices as the more famous California Consumer Privacy Act (CCPA) or even the European Union’s General Data Protection Regulation (GDPR) experts say.

Expanded scope

The bill substantially broadens the scope of consumer privacy and data security protection by:

• Expanding the range of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers
• Broadening the definition of a data breach to include unauthorized access to private information.
• Applying the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State.
• Updating the notification procedures companies and state entities must follow when there has been a breach of private information.
• Creating data security requirements tailored to the size of a business.

The first four of these requirements took effect on October 23, 2019, while the last provision is slated to go into effect on March 21.  

SHIELD Act’s reach beyond New York

The potential widespread impact of the SHIELD Act for the country as a whole is contingent on the third requirement that extends the bill’s provision to any business that collects or maintains private information on a New York resident. Given the size and importance of New York, it seems likely that all major tech and internet companies hold private information on a New York resident will therefore have to abide by the data security requirements. Just for expediency’s sake, any changes that protect New York residents’ data will likely extend to the data companies collect and hold for any consumers.

“The SHIELD Act is the next in line with a variety of different state legislation that is geared towards breach notification as well as data privacy and protecting the citizens of States,” Matthew Dunn, the former supervisory special agent overseeing the FBI Cyber Crimes/Counterintelligence Squad and now an associate managing director in the Cyber Risk practice at consultancy Kroll, tells CSO. “We had the GDPR; that was the first big one that was set up to protect European Union citizens’ information that’s being collected and stored and maintained and transmitted and giving people the right to know what their personally identifiable information is being used for. It also gives them the right to opt out of those types of activities as well if they want.”

“Then, in the U.S., the California Consumer Privacy Act took those types of measures in applying them to businesses operating in California,” Dunn says.

What are the SHIELD Act’s data security requirements?

In terms of the new data security requirements created by the SHIELD Act, the law mandates that:

• Any person or business that owns or licenses computerized data that includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
• Any business other than a small business will be deemed to comply with the new law if it is a regulated entity already in compliance with a host of specific security and privacy safeguards such as HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH), Cybersecurity Requirements for Financial Services established by New York’s Department of Financial Services or other data security laws and regulations.

Companies will also be considered in compliance if they implement several data security practices outlined in the bill. These include having reasonable administrative safeguards such as training employees in security program practices and procedures along with reasonable technical safeguards such as regular testing and monitoring of essential controls, systems and procedures. The SHIELD Act also spells out physical security safeguards that companies should implement to comply with the law, including erasure from electronic media private information that is no longer needed.

“One of the other things that this particular state law does is it identifies that if you are to collect New York residents’ information electronically, then you must enact some type of reasonable security measures to protect that data,” Dunn says. “That’s taking it more in line with other federal regulations that we have seen in the past, such as HIPAA or the Gramm-Leach-Bliley Act.”

Small businesses, those with less than $3 million in annual revenue or less than $5 million in assets or fewer than 50 employees, will be considered in compliance if they have the same kind of administrative, technical or physical safeguards “appropriate for the size and complexity of the small business, the nature, and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

One of the landmark requirements in the SHIELD Act is that any entity that collects personal data on New York residents needs to have a designated employee to oversee cybersecurity operations. “That’s something that we haven’t seen in the past, where you need to designate that individual responsible for this information to protect it when it’s collected electronically,” Dunn says.

Companies that fail to comply with these security requirements face civil penalties of up to $5,000 per violation and no penalty caps, unlike the penalty cap of $250,000 per violation for failing to notify authorities when a breach occurs. To avoid these penalties, companies should be implementing good cyber hygiene practices, conduct thorough asset inventories, implement monitoring and reporting measures, and otherwise adopt practices that experts say make up good cybersecurity. Those steps are in addition to complying with the administrative, technical, and physical safeguards spelled out in the bill.

“You have to start thinking proactively right now because it’s not a matter of if, but when you have some type of cyber incident,” Dunn says. The bill could have the added push to make companies, and even individuals that collect personal data, look hard at their current data security practices and make some changes.

The real shift will occur once the New York attorney general begins fining entities for failing to comply with the security requirements. “Once people know that they are going to be held accountable for the type of information that they collect and maintain on their databases, that there will be repercussions, maybe you’ll see some changes being made,” Dunn says.