SHIELD Act: New York businesses have less than a week to get their data security policies in order

Rights for consumers? That’s coming, too

Businesses in New York will soon be required to adhere to heightened data security measures when a new law is enacted in the state later this week.

The Stop Hacks and Improve Electronic Data Security Act, better known as the SHIELD Act, is a two-part data security focused bill impacting all businesses that handle information belonging to New York state residents.

The law, which is due to come into force on Saturday (March 21), will require businesses to “implement and maintain reasonable safeguards” in order to “protect the security, confidentiality, and integrity of private information”, the bill (PDF) states.

This means that organizations must give consideration to the security of their administrative, technical, and physical operations, whether through regular staff training or scheduled penetration tests.

Organizations in lower earnings thresholds are still required to implement measures “appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers,” the bill states.

Businesses with fewer than 50 employees or that earn less than $5 million in year-end total assets are exempt from adhering to the rules, however.

Steps towards compliance

To remain relevant to the diversity of organizations that face compliance, the security measures set out in the SHIELD Act are vague. Nonetheless, many companies may soon have to change their entire work structure in order to integrate security into every stage of their operations.

“We find the most important steps is the first one, getting started and assessing the business,” Joseph Lazzarotti, an attorney at New York-based law firm Jackson Lewis, told The Daily Swig.

Read more of the latest data breach and security news

“In the end, I do not think there is any ‘guarantee’ about compliance because data security is a moving target and businesses need to keep rethinking the different challenges technology, people, etc. present.”

In a blog post published earlier this month, Lazzarotti outlined his recommendations that businesses consider developing access management plans, maintaining written security policies and procedures, and utilizing two-factor authentication (2FA).

Privacy SHIELD

Although the bill will force companies in New York to shore up their data security regime and protect citizens’ data from malfeasance, the SHIELD Act provides consumers with limited rights when it comes to accessing or deleting their ‘private information’.

An individual, for instance, will not be able to request that a company delete their personally identifiable information – a right that is enshrined in California’s recently passed data privacy law, the Consumer Privacy Act (CCPA).

However, the state of New York plans to account for the so-called ‘right to be forgotten’, and other consumer-focused privacy rules, in separate legislation.

“The SHIELD Act was designed more as a data security statute, not data privacy,” Lazzarotti explained.

‘Private information’ itself has an expanded definition under the SHIELD Act, similar to the scope set out in the CCPA.

Publicly available data, like the Californian law, is not included in what the SHIELD Act condones as ‘private’, but biometrics, non-encrypted data elements, and online account credentials have both been added to the state’s definition, which currently governs all legal issues concerning data security in New York.

The bill therefore expands on New York’s already enacted data breach notification law by adding more circumstances of when a data security incident should be reported.

This includes any incident involving unwarranted ‘access’ to private information, rather than the previous condition to report incidents concerning malicious ‘acquisitions’ of data.

The bill states: “In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”

The changes to New York’s data breach notification law came into effect on October 23 last year. All businesses, regardless of their size, must now disclose to all of their New York state consumers if a breach of their information occurs.

The state Attorney General should be notified if 500 or more residents are impacted by a security incident incident.

Companies that fail to report a breach or demonstrate the implementation of inadequate security measures are liable to face penalties of up to $250,000.

YOU MIGHT ALSO LIKE CCPA the ‘first of many’ state-level US privacy laws on the horizon