Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”)
What types of security breaches are covered by this law?
Under the 2005 law, a security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of private information. The SHIELD Act expands the definition of a security breach to any “access” to computerized data that compromises the confidentiality, security, or integrity of private data.
What is the significance of this law?
The SHIELD Act, signed into law on July 25, 2019 by Governor Andrew Cuomo, amends New York’s 2005 Information Security Breach and Notification Act. The Shield Act significantly strengthens New York’s data security laws by expanding the types of private information that companies must provide consumer notice in the event of a breach, and requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.
What does private information consist of?
Under the 2005 law, private information was any personal information concerning a natural person in combination with any one or more of the following data elements: social security number, driver’s license number, account number, or credit or debit card number in combination with any required security code. The SHIELD Act expands the law to include biometric information, and username/email address and password credentials.
What are the safeguards that are included in the SHIELD Act?
The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical and physical safeguards. Certain safeguards are listed but it is not meant to be an exhaustive list.
Reasonable administrative safeguards:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances.
Reasonable technical safeguards:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures.
Reasonable physical safeguards:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
What are the obligations of businesses when a breach occurs?
The law requires that the person or business notify the affected consumers following discovery of the breach in the security of its computer data system affecting private information. The disclosure must be made in the most expedient time possible consistent with legitimate needs of law enforcement agencies. While the law requires notice to the Attorney General’s office, New York Department of State and the New York State Police of the timing, content and distribution of the notices and approximate number of affected persons, submission of a breach form through the NYAG data breach reporting portal is sufficient as its automatically sent to all three entities: • Data Breach Reporting Portal
The person or business must also notify consumer reporting agencies if more than 5,000 New York residents are to be notified. The contact information for the three nationwide consumer reporting agencies is as follows:
EQUIFAX
P.O. Box 105788
Atlanta, GA 30348
1-800-349-9960
www.equifax.com
EXPERIAN
Consumer Fraud Assistance
P.O. Box 9554
Allen, TX 75013
888-397-3742
www.experian.com
TRANSUNION
P.O. Box 2000
Chester, PA 19016-2000
Phone: 800-909-8872
www.transunion.com
If you are a consumer affected by a breach, you may file a complaint through the Attorney General’s online complaint form. Do not submit a breach notification form.
Are there any exceptions to the notification requirements?
The law also provides for substitute notice to consumers if the business demonstrates to the Attorney General that the cost of providing regular notice would exceed $250,000 or that the affected class of persons exceeds 500,000 or the entity or business does not have sufficient contact information. Where substitute notice is used, it must consist of all of the following, as applicable: e-mail notice, conspicuous posting on the entity’s web site, and notification to statewide media.
The law also does not require consumer notification if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials. Such a determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.
What are the penalties for violations of the SHIELD Act?
Under the SHIELD Act, the Attorney General may seek injunctive relief, restitution and penalties against any business entity for violating the law. For failure to provide timely notification, the court may impose a civil penalty of up to $20 per instance of failed notification not to exceed $250,000. For failure to maintain reasonable safeguards, the court may impose a civil penalty of up to $5,000 per violation.