Coronavirus or Not: The NY SHIELD Act and What All Businesses in NY State Need to Know
As we enter into this new decade of 2020 thinking about what the long-term impacts will be regarding cybersecurity and privacy over the next ten years, there are very immediate challenges executives are navigating today in the state of NY. The regulatory environment continues to strengthen globally and NY state continues to lead the way setting expectations for businesses handling personal information for NY residents.
In 2018, we saw the European Union pass the General Data Protection Regulation (GDPR) with an emphasis on the protection of data for European residents including a number of requirements to protect the privacy and security of European resident’s data. January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect which impacts companies collecting data, mainly targeted for digital advertising purposes, on Californian residents. Now, in the state of NY there is a new law that can have a significant impact on businesses especially if a company has a breach and comprised the personal information of NY residents negligently.
The NY Department of Financial Services annual cybersecurity filing deadline has been moved from April 15th to June 1st. This can give some of you some good relief, but the expectation remains of keeping data and systems secure through this COVID-19 pandemic. Especially with the NY SHIELD Act, it would be a dangerous risk to allow this extended deadline to be perceived as permission to not take the proper actions to control cyber and data risk at this time while staff are transiting to working remotely.
What is the NY SHIELD Act?
The new NY SHIELD (Stop Hacks and Improve Electronic Data Security) Act goes into effect March 21, 2020. This Act requires safeguards for the personal information for NY state residents. The SHIELD Act requires employers in possession (owns or licenses electronic data) of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” Companies required to abide by HIPPA, NY DFS Cybersecurity Regulation, or GLBA most likely are already following these new requirements.
What are new requirements of the NY SHIELD Act?
The SHIELD Act does not mandate specific safeguards, but instead provides that a business will “be deemed to be in compliance with” this standard if it implements a “data security program” that includes all of the elements enumerated in the SHIELD Act. This data, or cybersecurity program, includes mandates for administrative, technical and physical safeguards:
Administrative safeguards include: The business (i) designates one or more employees to coordinate the Cybersecurity Program; (ii) assesses internal and external data security-related risks and the sufficiency of safeguards in place to control the identified risks; (iii) trains employees on cybersecurity (iv) selects vendors who meet cybersecurity standards; and (v) amends the Cybersecurity Program to meet the new requirements.
Technical safeguards include: The business (i) assesses data security-related risks of network and software design and information processing, transmission and storage; (ii) detects, prevents and responds to attacks or system failures; and (iii) tests and monitors the effectively of controls, systems and procedures.
Physical safeguards include: The business (i) assesses risks of information storage and disposal; (ii) detects, prevents and responds to intrusions; (iii) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (iv) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
What is defined as personal information?
Though this received a lot attention initially it seems to have gone under that radar for a lot of businesses in NY, especially businesses not officed in NY but collecting data on NY residents. All businesses are impacted by this law if they collect data on any NY residents. For example, if a company has an employee that is a NY resident, they are subject to this Act because of the scope of data likely collected during the hiring process.
The Act covers not only “personal information” currently defined in GBL §899-aa(1)(a) as: “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person…” but also “private information” which is now defined as either personal information in combination with any one or more of the following data elements that were not encrypted, or was encrypted with an encryption key but was accessed or acquired:
- Social Security number
- Driver’s license number
- Credit or debit card number,
- Financial account number (with or without security code, as long as an unauthorized person could gain access to the account)
- Biometric information
- Username or e-mail address with a password, or security question, that permits access to an online account.
What industries are impacted?
This becomes even more difficult for small businesses. Those small businesses with fewer than 50 employees or less than $3 million in gross annual revenue—need only ensure that their data security safeguards are appropriate for the size and complexity of the small business, the nature and scope of the small businesses’ activities, and the sensitivity of the personal information the small business handles. Therefore, requirements still need to be in place.
As mentioned, the less impacted companies those that are regulated by the New York Department of Financial Services (NY DFS) Cybersecurity regulation in banking, insurance and financial services. However, for companies under $10M in total assets, under 10 employees, or under $5M in total revenue three years in a row, hoping to file for exemption for the upcoming April 15, 2020 certification deadline, they will want to validate that is still an option under this new Act. Yet, many companies will find, they may have limited exemption, but not full exemption under the NY SHIELD Act.
The biggest impact is to non-regulated industries. Real estate and retail not only hold employee information, but client or tenant information. Manufacturing, law and accounting firms, fashion companies and other service industries are also subject to comply.
How does this impact companies outside of the state of NY?
The Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that if your business or organization has employees or customers who live in New York, this legislation may apply to you.
Updated data beach requirements:
The data breach requirements for NY state were also amended. As of October 23, 2019, the SHIELD Act required the recording of data breaches. If the incident were to involve the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within 10 days of that determination. The penalty enforced by the attorney general is $20 per failed notification with a maximum penalty of $250,000.
Jessica Robinson, is CEO of PurePoint International, and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. You can reach her at firstname.lastname@example.org.