The Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), which went into effect on October 23, 2019, substantially broadens the scope of the existing New York State breach notification and data protection laws. This new law applies to any for profit or nonprofit organization that receives or collects private information about New York residents. Simply put, if your organization has a website, it’s likely you need to comply with the provisions of the SHIELD Act.
The SHIELD Act creates two primary obligations: 1) the adoption and maintenance of a comprehensive cybersecurity data protection program to safeguard private information; and 2) compliance with specific data breach notification requirements.
The SHIELD Act broadens what is considered to be personally identifiable information (“PII”) which means that most organizations will be deemed to be collecting PII. Under the Shield Act, any organization that collects PII must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII. While the extent of the safeguards is expected to be relational to the size and complexity of the organization, it is clear that all organizations will have to meet the minimum requirements as outlined below.
- Develop, implement and maintain “reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of PII.
- When utilizing third-party service providers, include specific contractual provisions that stipulate that maintenance of appropriate cybersecurity practices are necessary for compliance. (This suggests that all current, and certainly future, vendor agreements must be reviewed and appropriately negotiated).
- Adopt a data retention and destruction policy to safely and securely store, and when appropriate, permanently dispose of, PII.
Added to this, the SHIELD Act broadens the definition of data breach, requiring prompt notice to affected individuals and to government authorities. For those organizations that have yet to adopt a “data breach response plan”, the time to do so is now. This clause includes penalties for failing to provide timely notice in the event of a data breach as well as for failing to adopt reasonable safeguards.
The organizational costs related to unauthorized access continue to grow. Therefore, procuring and maintaining a comprehensive and appropriate tailored cyber-security insurance policy has never been more important (also see Cyber Security Insurance – A Must Have).
Although the law took effect on October 23, 2019, it provides organizations a grace period until March 21, 2020 for the establishment of the required data protection policies and practices. I highly suggest organizations use this time wisely! Businesses that have not previously been subject to cybersecurity regulatory requirements should promptly evaluate the sufficiency of their internal policies and practices – as well as the third-party service providers they use – to ensure compliance with the SHIELD Act requirements. Those organizations with existing cybersecurity programs should review and update their policies and practices in light of these new requirements.