Adding Another Digital Ball to Juggle: The SHIELD Act Now in Effect in New York

March 27, 2020 Published Article

With working remotely becoming more widespread due to COVID-19, it is even more important to be aware what laws affect how a company manages the personal data of their consumers and employees, including what to do in a breach.  On March 21, 2020, the entirety of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in New York came online in full and is now in effect.  So what is this new legislation?  What does it do?  How does it affect data management now?

What is the SHIELD Act?

The SHIELD Act is effectively an update to New York's previous laws to better protect personal information, including biometric information, such as finger prints, voice prints, or some other unique physical representation used to authenticate or ascertain the individual's identity. 

This SHIELD Act also sets forth how businesses must respond to a data breach incident, and what actions the business needs to use in order to provide baseline reasonable security measures.  Ultimately, this does not provide any personal remedies as occurs with the biometric law in Illinois or the data breach provision of the CCPA.  Instead, it provides more practical guidance on actions to take and definitions of what may constitute a breach or reasonable security before enforcement by New York's Attorney General.

What Does it Do?

The law is effectively broken up into three parts: determining when a breach occurs; dictating how to respond to a breach; and stating the basic security requirements needed for businesses. 

For determining a breach, a company must determine when personal  may have been acquired, by examining a variety of indicators such as: (1) indications that the information is in the physical possession of another (i.e. a lost cell phone or laptop used in the business); (2) indications that the information has been downloaded or copied; or (3) indications that information has been used by an unauthorized person (i.e. identity theft).

After it has been determined that a breach has likely occurred, the business must give notice as expediently as possible, consistent with the needs of law enforcement, as well as measures to determine the scope of the breach and restore the integrity of the system.  First, regardless of circumstance, the business is required to notify the New York Attorney General.   This is not limited solely to those businesses within the state of New York, or those that conduct business in the state of New York.  Unlike the CCPA, which provides a baseline, the law is currently written as one regarding any person or business that owns or licenses data including private information of a New York resident.  The notice requirement varies, as written, electronic or telephonic notice may be provided, though: (1) electronic notice must be consented to (and not as a condition to establishing a transaction or doing business (­i.e. it cannot necessarily be part of the terms of service); and (2) telephonic notification must be recorded to show that such notification is given.  Furthermore, e-mail notice may be given, unless it is believed that the breached information includes an e-mail and password or security information that would permit a hacker to hijack the account.  If it is believed that the e-mail address may be compromised, notice is required to be given through the account, if the login comes from an internet protocol address known to be associated with the individuals' activity. Notice may also include conspicuous posting on a website or a notification on statewide national media.

Furthermore, in certain circumstances, notice to affected individuals may not be required when exposure will not result in misuse, financial harm, or emotional harm, though a record still must be kept. In addition, notice under federal privacy laws, such as HIPAA or the GLBA, do not require a separate notice under the SHIELD Act.  In circumstances where no notice under the SHIELD Act is permitted, the Attorney General for New York is required to receive notification.

If the notice provision is violated, this could create a liability at the greater between $5,000, or $20 per failed notification, with the latter capping out at $250,000.

Finally, New York requires "reasonable security" which includes but is not limited to the disposal of personal data.  The list of security measures is satisfied if it:

  1. Implements a program that
    • has reasonable administrative safeguards with one or more employees to coordinate the safeguards;
    • identifies reasonably foreseeable risks;
    • assesses the sufficiency of safeguards;
    • trains employees in security practice, programs, and procedure;
    • selects service providers capable of maintaining safeguards and requires them by contract; and
    • adjusts the security in light of business changes or new circumstance
  2. Implements reasonable technical safeguards (i.e. assessing risk, detecting system failures and performing testing of the safeguards).
  3. Reasonable physical safeguards (i.e. protecting physical offices for information storage, disposal, and detecting and deterring unauthorized access.)

Regarding small businesses, New York provides some latitude, as the measures can appropriately scale down considering what information the small business may have and the complexity of the small business.  This provides a contrast to the CCPA in that the SHIELD Act provides far more specific guidance, but generally follows a common-sense approach to reasonable security measures. 

What Should a Business Do?

In responding to the SHIELD Act, a business should first determine how likely it is to collect the information of New York residents.  For some businesses, like online retailers, this may be more likely compared to a local restaurant.  However, it stresses the need for businesses to protect data, and prepare a data breach response plan, with the knowledge that certain states may differ regarding specific notice requirements.