Locke Lord QuickStudy: New York SHIELDs Private Information (Security Requirements effective March 21, 2020)

Locke Lord LLP
March 13, 2020

As we first reported on July 24, 2019 (and updated on September 24, 2019), an amendment of New York’s data breach notification law—the Stop Hacks and Improve Electronic Data Security Act, commonly referred to as the SHIELD Act—was signed into law on July 25, 2019.  While the breach notification amendments of the SHIELD Act went into effect on the ninetieth day after being signed into law—October 23, 2019—the security requirements of the SHIELD Act officially go into effect on the two hundred fortieth day after the SHIELD Act was signed into law- March 21, 2020.  

Data Security Obligations
The SHIELD Act added a requirement that covered entities implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information, including the disposal of data.  In order to be in compliance, a business must implement a data security program that includes reasonable administrative, technical and physical safeguards, including:

  • Administrative safeguards: (1) designates one or more employees to coordinate the security program; (2) identifies reasonably foreseeable internal and external risks; (3) assesses the sufficiency of safeguards in place to control the identified risks; (4) trains and manages employees in the security program practices and procedures; (5) selects service providers capable of maintaining appropriate safe guards, and requires those safeguards by contract; and (6) adjusts the security program in light of business changes or new circumstances.
  • Technical safeguards: (1) assesses risks in network and software design; (2) assesses risks in information processing, transmission and storage; (3) detects, prevents and responds to attacks or system failures; and (4) regularly tests and monitors the effectiveness of key controls, systems and procedures.
  • Physical safeguards: (1) assesses risks of information storage and disposal; (2) detects, prevents and responds to intrusions; (3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Small businesses are permitted to scale the above reasonable security requirements as appropriate for the size and complexity of the business, the nature and scope of the business’ activities, and the sensitivity of the personal information the business collects.  In addition, a business is deemed to be in compliance with the above reasonable security requirements if the business is subject to and in compliance with GLBA, HIPAA, part 500 of title 23 of the official compilation of codes, rules and regulations of the state of New York, or any other data security rules and regulations of any official department, division, commission or agency of the federal or New York state government. 

For a full breakdown on the amendments to the SHIELD Act click here to view our September 24, 2019 article, and be sure to Locke-down your SHIELD Act compliance procedures.