On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York’s data breach notification law. The SHIELD Act introduces more stringent requirements for recording data breaches. Businesses are granted until Ma
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York’s data breach notification law.
The SHIELD Act introduces more stringent requirements for recording data breaches. Businesses are granted until March 21st, 2020, to implement ‘reasonable security measures’, or in other words a comprehensive data security plan.
The SHIELD Act introduces significant changes, including the following:
Any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image).
The NYDFS defines a data breach as “unauthorized acquisition of private information”. Now, under the SHIELD Act, it is defined as “unauthorized access to private information”, where “access” refers to the viewing, copying or downloading of private data. New York businesses must ensure that they know exactly how their private data is being accessed, including who has access to what data, and when.
The SHIELD Act does not only apply to organization operating in NY, but to any organization that processes private data belonging to NY residents.
The Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.
All organizations that collect private information must independently satisfy the SHIELD Act three-part standard for protecting sensitive individual information. However, regulated organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.
To achieve compliance, an organization must implement a data security program that includes:
Small businesses will also be deemed in compliance if safeguards are “reasonable” and appropriate for their size and complexity. For a business to be considered as a “small business,” the business shall meet the following requirements:
Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties. For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, the court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation. However, the SHIELD Act does not grant a private right of action.
If you have further questions, please contact Formosan Brother Attorney at Law, we are happy to assist you in resolving such issue and remain in compliance with the New York SHIELD Act.
(Author: Pei-Yuan Wei Legal Consultant)
