New York’s new SHIELD Act takes effect on March 21, 2020 and, in comparison with the GDPR sensation and California’s follow-up, this act didn’t generate too much fuss. In short, the people of New York decided to protect their data by updating the existing general business law with requirements for everyone who uses their private information.
More specifically, the state of New York enacted the “Stop Hacks and Improve Electronic data Security Act (SHIELD Act).” This Act updated the heading of article 39-F of general business law to “Notification of Unauthorized Acquisition of Private Information; Data Security Protections,” updated the §899-aa and added a new paragraph, §899-bb.
This Act applies to any person or business that “owns or licenses computerized data which includes private information” of New York state residents, regardless of the business location.
The major highlights of the Act are:
1.) The “Private Information” definition has been updated
2.) The “Breach of the security of the system” definition has been updated
3.) Compliance with certain regulations can be used as a proxy for SHIELD compliance
4.) List of administrative, technical, and physical security requirements
Nothing in this law is unreasonable. It just requires reading, thinking, talking to a privacy lawyer, documenting, and doing something about it. Easy.
A Few Steps to Get You Started
1.) The “Private Information” Definition
The law provides three structures:
• Personal information: name, number, personal mark, etc.
• Data elements: SSN, driver’s license number, biometric, financial account number with (or without) access numbers, etc.
• Private information: a combination of the previous two when either is unencrypted, or the encryption key has been accessed or acquired.
Publicly available information is not private if it is available from federal, state or local government records.
CHAT WITH A LAWYER: Facebook, LinkedIn, and Twitter are not government records and the “etc.”-s above must be defined.
OPPORTUNITY: Revisit and update your data classification structure. If you don’t have one, now is the time to build it. It is extremely useful and makes everyone’s life much easier. However, don’t make it so complicated that only your lawyer can understand it. Data classification is NOT for legal professionals; it is for people who do not want to deal with anything more than one if-then-else statement.
2.) The “Breach of the Security of the System” Definition
This definition did not change much from its original form, other than for “ACCESS” and “PRIVATE.” It still means that a breach is an access or acquisition of private information that was unauthorized or without a valid authorization.
The variables for a business to consider when deciding if an incident is a breach remain faintly informative. For example, if “…information was viewed, communicated with, used, or altered by a person without a valid authorization or by an unauthorized person,” it is safe to conclude the incident is a breach.
The new part for security teams to note is that once the notice of the breach is made due to the requirements of other regulations (i.e. GLB, HIPAA/HITECH, 23 YNCRR 500, and other NY and federal laws), no additional notice to affected people is needed. However, notice to the state attorney general, the Department of State and the state policy, and consumer reporting agencies is still required.
CHAT WITH A LAWYER: Breach notification requirements are detailed in the law, addressing who, how, when and what. Every organization must detail processes and procedures per their circumstance and risk tolerance—including what “the most expedient time,” “unreasonable delay” or “any measures necessary” mean.
OPPORTUNITY: Revisit and update your incident response plan. Ensure appropriate reporting, triage, evaluation, prioritization, escalation, containment, and remediation practices, along with proper root cause analysis and corrective action. Detail incident classification and timeframe and an escalation path that includes CIO/CISO, legal, and communication representatives. Don’t forget to outline a communication plan for informing asset owners and supervisory authorities and approving media and information sharing. Test it.
While the SHIELD Act has not made the same waves the GDPR and the California Privacy Act have, it is still important to be aware of its impacts. Subtle changes to rules and regulations can have a significant effect on the way organizations must respond to data breaches, and education is critical to moving forward successfully. In next week’s article, we’ll discuss how certain regulations can serve as a proxy for SHIELD compliance—and what the new regulations might mean for your organization.
Note: This article contains general information only, and it is not a professional advice or service. You should not act on this information without consulting a lawyer with expert knowledge of the data protection laws and practices of your state/country.