In recent years, many states have been updating their data privacy laws to account for new technologies and security risks. On Oct. 23, 2019, a New York law on data breach notification requirements became effective. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has a broader reach than the state’s previous data breach notification law because the law now applies to organizations that operate in all 50 states. If an organization owns or licenses a New York resident’s data, then the SHIELD Act potentially applies and thus, the organization would be responsible for disclosing data breaches that affect New Yorkers’ private information. Some examples of the type of information that is protected includes social security numbers, financial data, website logins and passwords, driver’s license numbers, and biometric data. Since modern technology makes it possible for organizations to collect, buy, store, and trade this type of personal data and in higher volumes than ever before, the updated law more aptly reflects the current business climate.

 

When Does the New York SHIELD Act Apply?

Organizations around the country must determine if the SHIELD law pertains to them. It is important to note that an organization does not have to actually conduct any business in New York in order to be subjected to the SHIELD Act’s provisions. As noted above, organizations simply need to own or license a New York resident’s private information to be subjected to SHIELD requirements. If the Act does apply to an organization and the type of data breach that occurs triggers disclosure, the law requires expedient breach notification to affected parties and/or the state attorney general.

Data Breach Disclosure

Under the law, organizations must disclose a data breach when an unauthorized person acquires or gains access to private information. Disclosure rules can also apply when an organization reasonably believes that there was unauthorized data access or acquisition. Failure to provide breach notifications that the SHIELD Act requires can result in civil penalties up to $250,000.

If an authorized person inadvertently discloses the information and it will not be misused or cause harm, the law does not require breach notification. Additionally, the SHIELD Act does not require breach notification to New York residents when certain other laws (like HIPAA) already require notification. However, in this instance, the organization must still report the breach to the state attorney general and department of state.

Best Practices for SHIELD Act Compliance

To help achieve compliance under the SHIELD Act, organizations should implement the following practices:

1. Perform Routine Data Checks

   Routine checks will ensure that organizations keep on top of whether they have any New York resident’s data. Maintaining a separate spreadsheet which lists the type of data that is potentially subject to the SHIELD Act would be extremely helpful in staying organized and assisting with compliance efforts. Designate which employees can access the spreadsheet and who is responsible for updates. In the event of a breach, an organization implementing this practice will be able to quickly identify if the SHIELD Act applies and who to notify.

2. Update Pertinent Policies and Procedures

   Organizations that store New York residents’ data on their systems should immediately review and update their breach notification policies to account for the new law. Updated policies should detail when the SHIELD Act applies, when it does not apply, and any unique notification procedures.

3. Provide Employee Education and Training

   As always, organizations should make sure employees understand laws which are applicable to business operations. Circulating policies, having informational meetings, and hosting training sessions are all ways to familiarize employees with the SHIELD Act and make sure they are prepared in the event of a breach.

4. Operate a Sound Data Security Program

   On March 21, 2020, another section of the SHIELD Act will become effective and require that organizations implement data security programs which contain reasonable administrative, technical, and physical safeguards. Some key security safeguards include performing continuous risk assessment, hosting training sessions with mock breach scenarios, and employing comprehensive record retention and disposal practices. The law does not put a cap on potential penalties for failing to comply with the sections pertaining to data security programs. Consequently, organizations that do not have a comprehensive data security policy could experience high and reoccurring fines.

Conclusion

The SHIELD Act will increase the number of organizations responsible for disclosing data breaches involving New York residents. In turn, this law could trigger an increase in the amount of actions and noncompliance fines pertaining to data breach notifications. Organizations under the SHIELD Act must review the law to become familiar with all the requirements and exceptions pertaining to data breach notification. Implementing the practices listed above will help organizations take swift action and comply with the new law in the event of a data breach. It is also important to remain informed when other states amend and broaden their data breach notification laws in order to ensure compliance with any other relevant laws. If you found this blog informative, you may enjoy reading Not Even Bots Are Safe From California Law Makers or The Epiq Angle Blog.