Intellectual Property, Information Technology & Cybersecurity

NY SHIELD Act: New Extensive Cybersecurity Protocols and Expanded Data Breach Reporting for New York Businesses

Authors: Barry Werbin and Erica L. Markowitz

On October 23, 2019, new cybersecurity laws begin to take effect in New York that will impact most New York businesses. The Stop Hacks and Improve Electronic Data Security Act – also known as the SHIELD Act – requires companies by March 21, 2020, to adopt security programs to reduce risks of a data breach (a “Cybersecurity Program”).

The SHIELD Act Impacts New York Businesses Across Industries

The requirement to adopt a Cybersecurity Program applies to any person or business that owns or licenses computerized data, which includes private information of New York residents including biometric data, unsecured health information, financial account numbers and email addresses along with corresponding passwords or security questions and answers. This potentially impacts all New York businesses, as well as businesses in other states, that have access to data of New York residents.

This requirement is especially impactful on unregulated industries, such as the real estate, retail and certain service industries, which, until now, were not required by law to adopt cybersecurity-related programs. For example, a mid-size New York real estate management company that maintains New York tenant information is now required to develop an extensive cybersecurity program to protect the data of those tenants. Similarly, a New York real estate developer that has employee information would also likely be included under the requirements of the SHIELD Act.

The SHIELD Act eases certain regulatory burdens on small businesses, allowing them to adopt “reasonable” administrative, technical and physical safeguards that are appropriate based on the business’s size, complexity and the sensitivity of the data. However, since a small business is defined as a business with fewer than 50 employees, less than $3 million in gross annual revenue in the past three years or less than $5 million in year-end total assets, most companies will exceed these thresholds and be required to develop and implement an extensive Cybersecurity Program.

In addition, businesses that already are compliant with certain other federal or New York data protection regimes, such as the cybersecurity regulations of the NYS Department of Financial Services, are deemed compliant with certain portions of the SHIELD Act.

The SHIELD Act Requires the Adoption of Comprehensive Cybersecurity Policies and Procedures

The SHIELD Act requires businesses to develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data, in three ways:

Administrative Safeguards: The Cybersecurity Program must have administrative safeguards such as the following, in which the business (i) designates one or more employees to coordinate the Cybersecurity Program; (ii) assesses internal and external data security-related risks and the sufficiency of safeguards in place to control the identified risks; (iii) trains and manages employees in the cybersecurity practices; (iv) selects vendors who are capable and obligated under contract to meet cybersecurity standards; and (v) adjusts the Cybersecurity Program in light of changes or new circumstance.

Technical Safeguards: The Cybersecurity Program must implement technical safeguards, such as the following, in which the business (i) assesses data security-related risks of network and software design and information processing, transmission and storage; (ii) detects, prevents and responds to attacks or system failures; and (iii) tests and monitors the effectively of controls, systems and procedures.

Physical Safeguards: The Cybersecurity Program must put into place physical safeguards, such as the following, in which the business: (i) assesses risks of information storage and disposal; (ii) detects, prevents and responds to intrusions; (iii) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (iv) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Additional Business Considerations and Best Practices

In order to meet the March 2020 deadline, companies should take necessary steps to ensure that they are in compliance with the SHIELD Act. These steps include:

  • Adopting a company-wide Cybersecurity Program, which is compliant with the SHIELD Act’s requirements. If your company already has a Cybersecurity Program in place, it should be reviewed and updated to comply with the SHIELD Act.
  • Appointing a Chief Information Security Officer (CISO) or other individual who is tasked with overseeing the Cybersecurity Program.
  • Conducting diligence on all third-party vendors to insure that they have appropriate cybersecurity-related internal controls. Vendors may include a company’s attorneys, accountants, as well as outsourced IT, janitorial and secretarial services. All pre-existing contracts should be reviewed and appropriate provisions should be added to the contracts to obligate the vendors to meet cybersecurity standards. New contracts should include appropriate provisions.
  • Onboarding and periodic cybersecurity training should be scheduled for all new and current employees.

Data Breach Expanded Directives

The SHIELD Act also expands New York’s existing data breach notification laws, which will require a business that experiences a data breach, regardless of where the business is located, to notify New York state residents whose personal information may have been comprised. A “breach” includes unauthorized access and not just unauthorized acquisition of data, as in the existing New York data breach law. A breach of private data involving more than 500 New York residents also requires submission of documentation to the state's Attorney General within 10 days of a breach determination.

Significantly, enforcement of the SHIELD Act, including the imposition of fines, is solely by New York’s Attorney General, and the statute expressly states that it does not confer a private right of action. Nevertheless, we expect that New York residents who suffer damage by data breaches will assert negligence claims and argue that the SHIELD Act’s minimum standards serve as the baseline for reasonable business practices in the cybersecurity space.

 

< Back