Are You NY SHIELD Act Compliant?
Effective October 23, 2019, for the notification enhancements and March 21, 2020, for the data security requirements, New York’s “Stop Hacks and Improve Electronic Data Security Act,” also commonly referred to as the SHIELD Act, aims to broaden the requirements for reporting data breach events and will enhance security standards and safeguards. Acting as an amendment to New York’s pre-existing data breach notification law, there are several significant changes that organizations need to be aware of to ensure compliance.
Any individual or organization that houses digital data or personally identifiable information (PII) belonging to a New York state resident will be responsible for complying with the SHIELD Act, whether they operate in New York or not.
What are the Compliance Requirements of the SHIELD Act?
Data Breach Notifications
The SHIELD Act enhances the obligations organizations face about how and when they need to notify impacted parties in the event of a data breach by expanding the definitions of “data breach” and “private information.” Under the initial legislation, the SHIELD Act requires notification of a breach in security by any individual or organization conducting business in New York and “(1) where the compromised data is computerized data containing ‘private information’ of a New York resident, and (2) the compromised data is ‘reasonably believed’ to have been accessed or acquired by a person without valid authorization.”
Updates to the act include expansion of the team “data breach” to include unauthorized access to digital information that may compromise the integrity, confidentiality, or security of an organization or individual. The breadth of what is considered “private information” has also expanded under the SHIELD Act to include the following:
- Social Security Number
- Username and Password information that can be used to access financial information online
- Driver’s License or Non-Driver Identification Card Number
- Account, Credit, or Debit Card Numbers
- Security or Access Codes that permit access to financial accounts
- Biometric Data, such as fingerprints, face ID, or any other unique physical representation that can be used to authenticate an individual’s identity
It’s important to note that “good faith access to, or acquisition of private information by an employee” is not considered a data breach, as long as the information obtained was not disclosed without permission. When it comes to notification of a potential data breach, notification is not required if the personal information disclosed is “reasonably determined that the disclosure will not result in misuse of the information or result in financial or emotional harm.
Any individual or organization that “owns or licenses computerized data” that includes personally identifiable information of a New York resident must “develop and maintain reasonable safeguards to protect the security, confidentiality, and integrity” of said data.
To be compliant with this aspect of the SHIELD Act, organizations must have one of the following in place:
- A data security program that is compliant under the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH Act), and New York’s DFS cybersecurity guidelines, or
- A data security program that reasonable administrative, technical, and physical safeguards in place.
Reasonable Administrative Safeguards
- Designating one or more employees to manage the data security program
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of safeguards in place to control identified risks
- Providing employee training
- Conducting due diligence on 3rd party vendors to ensure they have appropriate data security programs in place
- Adjusting the security program requirements as business needs change
Reasonable Technical Safeguards
- Assessing network and software design security risks
- Assessing risks in security information processing, transmission, or storage
- Ensuring adequate detection, prevention, and response processes for attacks or system failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Reasonable Physical Safeguards
- Assessing security risks in data storage and disposal
- Ensuring adequate detection, prevention, and response processes for intrusions
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and disposal of the information
- Adequately disposing of private information within a reasonable amount of time after it is no longer needed for business purposes
In addition to these reasonable safeguards, organizations should consider also implementing the following precautions:
- Developing access management plans
- Maintaining written policies and procedures
- Applying sanctions to individuals who violate the organization’s data privacy and security policies and procedures
- Implementing facility security procedures
- Maintaining and practicing disaster recovery and business continuity plans
- Tracking inventory of equipment and devices
- Deploying encryption and data loss prevention tools
- Develop and practice an incident response program
- Regularly updating antivirus and malware protection
- Utilizing multi-factor authentication, and
- Maintaining and implementing a record retention and destruction policy
Impacts of Non-Compliancy
For data breaches that are deemed knowing and reckless, organizations may be liable for the following charges, whichever is greater:
- A $5,000 penalty
- Up to $20 per penalty, with a cap of $250,000
For violations relating to a reasonable safeguard, penalties of up to $5,000 per violation can be imposed.
For any violations of the SHIELD Act that are deemed as not reckless or knowing, a court may impose charges on an organization for actual costs incurred by an impacted individual, including any financial losses realized as a result of the breach.
Are There Any Exceptions?
While all organizations, no matter the size, are required to comply with the data breach notifications aspect of the SHIELD Act, some adjustments can be made to the reasonable safeguards for those companies that qualify as a “small business.”
To qualify as a small business under the SHIELDS Act, an organization must meet one or more of the following guidelines:
- Have fewer than 50 employees
- Incur less than $3 million in gross annual revenue in each of the last 3 fiscal years
- Earn less than $5 million in year-end total assets
The BBH Difference
BBH is a New York City-based Managed Service Provider that specializes in compliance for regional banks in the Tri-State area and beyond. We offer compliance support either as a stand-alone service or as a part of our complete managed services offering.
Visit our Security and Compliance page to learn more about how BBH can help you become SHIELD compliant.