Feb 14, 2020
The New York Shield Act
On March 21, 2020, the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), signed last July by the Governor of the State of New York, Andrew Cuomo, will come into force. This Act amends the current provisions on notification of violations of personally identifiable information (“Private Information”) by imposing substantial security requirements on companies that possess or license computer data containing private information of New York residents.
The Act, which affects any person or company, anywhere in the world, that owns or licenses “private information” about a New York resident, has become more necessary than ever, following more than 1,300 data breach notifications in 2016, with a steady upward trend in subsequent years.
Endpoints, which access corporate networks via desktop computers, laptops, wireless networks, tablets and mobile phones, handle large volumes of personal information, making them the preferred target of phishing attacks by hackers to steal data.
What is “Private Information” in this context?,
They’re included in this text:
- personal information consisting of any information in combination with one or more of the following data elements, when the data element or combination of personal information plus the data element is not encrypted, or is encrypted with a security key that has been made accessible or has been acquired:
- social security number;
- driving licence number or identity card number;
- account number, credit or debit card number, in combination with any security code, access code, password or other information that would allow access to an individual’s financial account; account number, credit or debit card number, if there are circumstances in which that number could be used to access an individual’s financial account without additional identification information, security code, access code or password; or
- biometric information, i.e. data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retinal or iris image, or other unique physical representations or digital representations of biometric data that are used to authenticate or verify the identity of the individual; or
- a username or email address in combination with a password or security question and an answer that would allow access to an online account.
The Shield Act makes two substantive changes: it replaces the definition of “personal information” with “private information”, broadening its meaning and scope; and it also broadens the meaning of “system security breach” to include incidents that result in “access” to private information, regardless of whether there has been a “capture” of such information (first, non-acquisition, deemed to be a breach). In addition, it maintains the “good faith” exception where such information has been displayed or exposed through «inadvertent disclosure and the person or company reasonably determines that such exposure is not likely to result in misuse of such information or financial harm to the persons concerned or emotional harm in the event of unknown disclosure of online credentials».
By imposing a notification and warning obligation, according to reasonable schemes, that ensure that the security, confidentiality and integrity of private information is protected, the Shield Act provides for a series of civil penalties (neither a private right of action nor class actions being allowed), and for “bona fide” violations, the court may award damages for actual costs or losses incurred by a person entitled to notification, including consequential financial loss.
Entities affected by the new legislation will be required to have a data security program with “reasonable” administrative, technical and physical safeguards.
Reasonable administrative guarantees include:
- designate one or more employees to manage the data security program;
- identify reasonably foreseeable internal and external risks;
- assessing the sufficiency of existing safeguards to control the risks identified;
- provide training for employees;
- conducting due diligence on third party vendors to ensure that they have adequate data security programs and to require “adequate safeguards” by contract;
- adapt the security program to business changes or new circumstances.
Reasonable technical guarantees include:
- security risk assessment of network and software design;
- risk assessment in the processing, transmission and storage of information;
- ensuring adequate detection, prevention and response processes for attacks or system failures;
- regularly testing and monitoring the effectiveness of key controls, systems and procedures.
Reasonable physical guarantees are understood in cases where a company:
- assesses security risks in data storage and disposal;
- ensures adequate intrusion detection, prevention and response processes;
- provides protection against unauthorized access or use of private information during or after the collection, transport and disposal of information; and
- adequately dispose of private information within a reasonable period of time after it is no longer needed for commercial purposes.
Guarantees which should also apply to small businesses and which should be “appropriate to the size and complexity of the small business, the nature and extent of the small business activities and the sensitivity of the personal information that the small business collects from or about consumers”.
Not only that! The law in question imposes new requirements for reporting violations of “covered entities”, entities that may disclose PHI to certain parties, to facilitate their treatment, payment or health care operations, without the express written permission of the patient, according to the dictates of HIPAA (see my details).
Data protection is becoming, indeed has already become, a regulatory, social and IT priority of every governmental entity.
All Rights Reserved
Raffaella Aghemo, Lawyer
