In July 2019, Governor Cuomo signed the “Stop Hacks and Improve Electronic
Data Security” (SHIELD) Act which requires businesses to implement
safeguards for “private information” of New York State residents. Private
information outlined in the Act includes email addresses and their
passwords, biometric information resulting from facial recognition software
or other means, Social Security numbers, driver license numbers, and debit
and credit card numbers to name a few. The Act is an enhancement of
municipal business law 208-a and general business law 899-aa.
Compliance for the updated Breach Notification portion (899-aa) was
required by October 2019 and the balance (899-bb) is required by
March 21, 2020
. The law affects almost EVERY business in New York with New York resident
data (and others outside New York with New York resident data). The law
relates to computerized data only.
For small businesses (those with fewer than 50 employees or less than $3
million in gross annual revenue), the Act allows for “reasonable
safeguards”. The Act does not define “reasonable safeguards” but states
that you need only ensure that data security safeguards are appropriate for
the size and complexity of the small business. Such safeguards should
include documented and tested administrative, technical and physical
safeguards in a written data security program. No matter your size, the
program should contain specific measures, including, at a minimum, annual
risk assessments, employee training, vendor contract audits, and timely
disposal of private information.
The SHIELD Act also does not mandate specific safeguards for large
businesses but provides examples of what businesses can do to be deemed in
compliance with the Act such as implementing a “data security program”.
Additionally, if your business is already in compliance with laws such as
the Gramm-Leach-Bliley Act, HIPAA or the NYS Department of Financial
Services Cybersecurity requirements, you are also deemed compliance with
the SHIELD Act covering client data. However, if you have covered data that
is not covered by the standards above, you may not be in full compliance.
In addition to safeguards, businesses must designate a person to coordinate
the data security program. This individual or group of individuals must
conduct risk assessments and oversee the implementation of safeguards to
protect against risks. Risks must be regularly (annual is suggested)
assessed by the organization. The law adds multiple requirements for
mandatory, documented, internal and third-party risk management policies
and procedures, advanced testing, training, a named security official, and
cyber protection of the personally identifiable information already covered
in other New York laws. This is for all New York resident data (including
employees!), not just those doing business in New York.
The rule adds updated notifications, adds a breach definition very similar
to other federal laws that state unauthorized access (e.g. Ransomware -
we’d suspect it’s not a big leap that Ransomware will be seen as a data
breach per the “unapproved access” standards in this law too) and states a
reportable HIPAA (and other federal and state regulatory agencies who
require reporting) breach MUST be communicated to the Attorney General as
well. The Attorney General can seek up to $250,000 for violations of the
It is critical that each employer doing business in New York review the
requirements of the SHIELD Act and determine the steps that need to be
taken in order to become compliant by March 21, 2020. Should you have
questions, reach out to our information risk management experts at Bonadio
or at FoxPointe Solutions
, our designated cybersecurity division.