New York SHIELD Act: Everything You Need to Know

January 23, 2020

Yesterday, we teamed up with RDG+ Partners and Harter Secrest and Emery LLP to explore how business will be affected by the New York SHIELD Act.  In case you couldn’t make it, or want the highlights, here’s a recap and the biggest takeaways. 

Rundown of the New York SHIELD Act. 

First, let’s understand the SHIELD Act.  It stands for ‘Stop Hacks and Improve Electronic Data Security Act’ and expands New York’s previous data breach notification law to include the handling of personal information.  This stems from large data breaches and consumer privacy and data concerns and follows other national and state government regulations.  

The regulation is the state’s latest effort to ensure that companies are meeting security requirements and properly handling NY resident data.  The key points of the SHIELD Act are: 

  • Broadens the definition of “private information” – now includes biometric information, account number, username or email address and password
  • Expands the definition of “breach”
  • Expands the jurisdictional reach and enforcement risk
  • Imposes data security requirements

All businesses must have security compliance in place by March 21, 2020 to avoid any penalties.  Our expert panel expanded on legal and security steps to ensure businesses are prepared. 

Legal view on the SHIELD Act. 

With the law coming from New York State, Paul Greene, Partner and Chair of Privacy and Data Security at Harter Secrest and Emery LLP walked through the background of the law and ways company can become compliant to avoid legal hiccups. 

“No one created a fire code for data security.  No one had an overarching plan to deal with breaches in the front end.  They were being reactive.” Paul Greene commented as he was explaining why data breach laws are in place and focus around sensitive personal information.  Due to the commodity that personal data is, that is why previous laws have emphasized personal information rather than network security.  

Today, the SHIELD Act builds off of past events and practices to include security components.  The act affects any person or business that owns or licenses private information of a New Yorker.  Those entities are now required to developimplement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.  

A notable part of the regulation is in regard to the disposal of data.  A person or entity is now required to properly dispose of any data that no longer serves a business purpose.  Luckily, there is wiggle room in the definition of what serves a valid business purpose. 

Enforcement and penalties for non-compliance are outlined in the act. If violated, the court can impose a civil penalty of $5,000 or up to $20 per instance of failed notification (which cannot exceed $250,000). Let’s remember, that figure does not include the unavoidable legal fees, potential recovery costs, lost productivity and reputational harm. The final costs can be significantly higher than $250,000.

How to comply. 

Compliance begins with data inventory.  Risks stem from not knowing what data you collect, how it is processed or where it resides.  Use that information to implement a proper and sound security plan.  

Path to SHIELD Act Compliance: Cliff Notes Technology Plan

After understanding the legal view and steps to become compliant, it’s time to take action to ensure your company is covered from a security standpoint.  Justin Smith expanded on how to create a SHIELD Act compliant security plan for small businesses and small business owners.   

From a business owner perspective, a company collects an abundance of employee data, from drivers’ licenses to financial information.  Due to that responsibility, implementing a security plan is critical to ensure compliance.  

“You need to perform an assessment, because you need to identify where the information is and what information you have.  You cannot begin to protect anything you cannot see.”  Justin Smith stated in relation to the importance of performing a gap analysis.  

To prepare your organization and position it in a place to implement a new or updated plan, here are four key steps to get started in the right direction: 

  1. Develop an information security policy with law firm and IT provider.  This ensures for proper compliance and full coverage from different angles. 
  2. Identify one individual to coordinate the program.  Have that individual in-house and outsource the time consuming, day-to-day tactical tasks. 
  3. Perform a security risk and gap analysis.  Create remediation plan based off findings. 
  4. Train employees. A large percentage of breaches trigger from within an organization and your employees are truly your first line of defense.

The New York SHIELD Act priorities personal information and holding businesses accountable for the security and management of that data.  Compliant requirements take effect on March 21, 2020 and as you’re making preparations, utilize your resources at Brite, RDG+ Partners and Harter Secrest and Emery LLP for guidance.  


 

Brite-Banners50