NY Shield Act effective dates: 
October 23, 2019 – Breach notification rules change
March 21, 2020 – Data security requirements

Purpose of the law?
New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) is concerned with notification of a security breach, it is an update to the current law in place. It has broadened the definition of a security breach to include any person gaining unauthorized access to information and requires businesses to adhere to standards customized to the size of the business. 

What is the definition of private information under the act? 

Private information is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
•    social security number;
•    driver’s license number or non-driver identification card number;
•    account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
•    account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
•    biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Private information included under the Shield Act that was not included in the previous law are, biometric data, account numbers, credit/debit card numbers that can be used to access an account without a 2nd form of identification and online account credentials

What are the breach notification requirements?
The Shield Act requires businesses to notify government agencies as well as the individuals affected. 

Breach notifications require businesses to include the following details when delivering a notification:
•    Contact information of the individual or business who delivering the notification
•    A description of the category  and specifications of the private  information that has been stolen or leaked
•    Phone numbers and websites of state and federal agencies that provide information on breach response, identity theft prevention, and information protection
•    Access and acquisition of private information
•    All affected persons must be sent a copy of the notification

What are the “reasonable” data security requirements? 
The Act provides businesses with a guideline for what is considered reasonable administrative, technical, and physical best practices.

Administrative Safeguards
•    Designate individual(s) responsible for security programs;
•    Conduct a risk assessment process one that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
•    Train and manage employees in security program practices and procedures;
•    Select capable service providers and require safeguards by contract; and
•    Adjust program(s) in light of business changes or new circumstances.

Physical Safeguards
•    Assess risks of information storage and disposal;
•    Detect, prevent, and respond to intrusions;
•    Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
•    Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.

Technical Safeguards
•    Assess risks in network and software design;
•    Assess risks in information processing, transmission, and storage;
•    Detect, prevent, and respond to attacks or system failures; and
•    Regularly test and monitor the effectiveness of key controls, systems, and procedures.

In addition to the safeguards in the new law, organizations should consider others, such as:
•    Developing access management plans;
•    Maintaining written policies and procedures;
•    Applying sanctions to individuals who violate the organization’s data privacy and security policies and procedures;
•    Implementing facility security plans;
•    Maintaining and practicing disaster recovery and business continuity plans;
•    Tracking inventory of equipment and devices;
•    Deploying encryption and data loss prevention tools;
•    Develop and practice an incident response program;
•    Regularly updating antivirus and malware protections;
•    Utilizing two-factor authentication; and
•    Maintaining and implementing a record retention and destruction policy.

Who does this law apply to?
The purpose of this act is to provide data security to all New York residents. Any business, including those outside NYS, that own any private information related to a NYS resident must comply with this law. 

When it comes to reporting a security breach, small businesses must comply with regulations of this act, there are no exceptions. The act includes some relief for small businesses with fewer than 50 employees, a gross revenue less than 3 million dollars each year in the last 3 years, or less than 5 million dollars in year-end total assets.  

Violations can result in a fine capped at $250,000 per instance for failure to comply with the breach notification requirements and cap at $5,000 per violation of reasonable safeguard requirements. 

More information:

NY State Senate Bill S5575


Visit our blog for more insights into applications of RPA and subscribe to our newsletter below to receive the latest industry news and observations.