On July 25, 2019 Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), amending the state’s data breach notification law and expanding the requirements for reporting a data breach. Additionally, the definition of “private information” has been expanded to include:
- SSN, Driver License or other state ID card #
- Account #, Credit card # in combination w/ security code, password
- Biometric information such as fingerprint, retina/iris image,
- Username or email address with a password or answer to security question
Who does this apply to:
The SHIELD Act applies to any person or business that owns or licenses computerized data containing private information of New York residents, regardless of whether that person or entity conducts business in New York.
This applies to Agio’s clients as it relates to their investors and employees.
When is it effective?
The Bill’s amendments to the breach notification law take effect on October 23, 2019. (Section 1,2,3,5). The amendments to New York’s general business law take effect on March 21, 2020 (section 4).
Breaking It Down
The act identifies practices considered reasonable and categorizes the “safeguards” as administrative, technical, and physical, which is what we’ve seen before with HIPAA and Reg S-P.
Reasonable administrative safeguards include:
- The designation of one or more employee to coordinate the security program
- Identifying reasonably foreseeable internal and external risks
- Assessing the sufficiency of safeguards in place to control the identified risks
- Training and managing employees about the security program practices and procedures
- Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
- Adjusting the security program in light of business changes or new circumstances
Reasonable technical safeguards include:
- Assessing risks in network and software design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to attacks or system failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
- Review and validation of encryption mechanisms for data at rest and data in transit
Reasonable physical safeguards include:
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes
Actions for Agio’s clients:
- Designate one or more individuals to coordinate the security program
- Update breach notification requirements in the WISP to include notice requirements to NY State AG, The NY Department of State, and the NY State Office of Information Technology Services
- Create a notification template (to be shared with the NY State AG)
- Create a template/breach log for documenting workflows, actions, and outcome of the determination process when a breach is suspected
Agio delivers policy language, a notification template and a breach log template for our cybersecurity program clients. Contact us if you’d like to learn more about becoming a client and how we can help you.
Should a firm suspect a data privacy breach (under NY law = private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization):
- Determine if notice is required (document the template/breach log)
- Determine if an exception applies, e.g. exposure of private information occurs as the result of an inadvertent disclosure by an authorized person and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons
- Determine if your firm is obligated to notify individuals under another regulation such as GLBA, HIPAA, and NY DFS Cybersecurity Regulation
*Note if individual notification falls under another regulation a notification to the NY State AG is still required.
If the AG believes there is a violation of the law the court may award damages for actual costs or losses incurred by a person including consequential financial losses. The court may impose a civil penalty the greater of five thousand dollars or up to twenty dollars per instance of failed notification up to $250,000. For our clients, the reputational damage is the greater loss, as the event would become public.