New York's SHIELD Act applies to businesses nationwide, with compliance required for anyone who does business with or holds personally identifiable information (PII) of New York residents. The following are key takeaways regarding SHIELD Act compliance.
S5575B, known as the "Stop Hacks and Improve Electronic Data Security Act" (SHIELD Act), was introduced in spring 2019 and goes into effect on March 21, 2020. The bill intends to protect New Yorkers' personal and private information in an increasingly digital world, and sets additional guidelines for data breach notifications involving PII. SHIELD, in part, amended New York's existing data breach notification laws to better match the current cybersecurity landscape while also introducing additional data security requirements for affected businesses.
Here are the top 8 details to know about the SHIELD Act that may affect your organization:
Reasonable Security RequirementAny business which owns or licenses digital data which contains private information of any resident(s) of New York must develop, implement, and maintain "reasonable safeguards" through an organization-wide cybersecurity program, including:
- Minimum 1 or more employees who coordinate and hold responsibility for the security program
- Regular assessments of internal and external cyber risk in network, hardware, and software
- Prevention measures against attacks or system failures
- Detection and response to attacks or system failures
- Employee training in cybersecurity program, which includes training and testing employees on general cybersecurity best practices
Data Breach Notification
In the event that your organization experiences a data breach involving PII of New York residents, here are the following considerations to take when notifying necessary parties:
- Balance Incident Response Procedures & Timeliness
"Disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, ... or any measures necessary to determine the scope of the breach and restore the [reasonable] integrity of the system." - S5575B
- Notifying Affected Persons
Breach disclosure may be provided to affected persons in traditional written notice format, telephone call with documented logs of notification, or via electronic notice, if such consent has been provided to do so.
- Notifying Authorities
If PII has been exposed and New York residents/customers will need to be notified, you must first notify the New York Attorney General and the state police regarding the timing, content, and distribution of your notices. If more than 5,000 New York residents must be notified, you must also notify consumer reporting agencies of your breach and impending notifications.