Organizations Must Prepare for the Imminent Implementation of the SHIELD Act

December 16, 2019

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), originally proposed in late 2017, has been passed and will go into effect on March 21, 2020 with the intent to improve data security in the State of New York. The Act, as passed, expands upon the scope of how data is protected and increases notification requirements should an organization have a data breach.

What Is the SHIELD Act?

SHIELD requires organizations to demonstrate that reasonable cybersecurity safeguards are implemented to protect private and personal information. The definition of personal information includes “information concerning a person, which because of name, number or other identifier can be used to identify someone.”  While the definition of personal information is not changing, under SHIELD, private information would be expanded to include:

  • Financial Account Numbers that can be used to access an account, such as a credit card number;
  • A username or email address in combination with a password or security question and answer that would allow access to an online account;
  • Biometric information used to authenticate an individual’s identity; and
  • Unsecured protected health information covered under HIPAA.

Further, SHIELD expands the definition of a breach.  Previously, a breach was defined as unauthorized acquisition of private information, whereas now, it is defined as unauthorized access to private information, which would include viewing, downloading or copying this information.

SHIELD will require organizations that have more than 50 employees with gross revenues greater than $3 million, and own or license computerized data which includes private information of a New York resident, to “develop, implement and maintain reasonable safeguards to protect security, confidentiality and integrity of the private information.” To achieve compliance, your organization must implement a data security program that includes, at a minimum, the following:

  • Reasonable administrative safeguards that include a risk assessment, workforce cybersecurity training and due diligence of cyber risk for service providers utilized.
  • Reasonable technical safeguards that include a risk assessment of your network, implementation of measures to detect, prevent and respond to system failures and regular testing and monitoring of the system.
  • Reasonable physical safeguards that include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information as defined above.  Additionally, measures must be taken to dispose of electronic media that is not needed for a business purpose so that information cannot be accessed.

Organizations that are covered by and have been deemed to be in compliance with HIPAA, the Gramm-Leach Bliley Act (GLBA) or the New York Department of Financial Services cybersecurity regulations, should have no additional work to do to be in compliance with the SHIELD Act.

Enhancing Breach Notification Requirements

SHIELD enhances how notification of data breaches is conducted.  Organizations will need to include specific information about the data security breach and ensure that consumers who were affected by the breach receive secure notice of the breach.  Further, organizations will be required to provide the state attorney general with a copy of the notice.

Failure to Comply

The failure to implement a compliant security program will be enforced and may result in penalties of up to $5,000 for each violation.

How to Prepare Your Organization

March 2020 is quickly approaching.  Take action now by determining if SHIELD is applicable within your business and if it is, assess current security policies and procedures to determine if they require updating.

The Technology Services Group at Marks Paneth can assist you to assess your readiness.