New York’s SHIELD Law and its Impact on Connecticut Businesses
The Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), took effect in New York on March 21, 2020. The SHIELD Act imposes certain data security requirements on “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. For the purposes of the Act, private information is personal information consisting of any information containing certain data elements (including social security numbers, driver’s license numbers, account numbers, credit or debit card numbers, information that would enable access to an individual’s financial account, and biometric information) or a username or email address with a password, or security question and answer that would permit access to an online account. In effect, this law impacts people and businesses outside the state of New York that maintain private information of New Yorkers.
The SHIELD Act requires covered businesses to develop, implement, and maintain reasonable safeguards to protect the security of private information. This obligation can be satisfied in two different ways:
- Businesses can be in compliance with the SHIELD Act if they are a “compliant regulated entity.” This means an entity subject to and in compliance with a data security regulatory framework. Examples of such frameworks include HIPAA or the Gram-Leach-Bliley Act. Importantly, if an entity, such as a health care provider, relies on its compliance with HIPAA to fulfill its obligations under the SHIELD Act, it must also ensure that it complies with regard to private information concerning its employees and other individuals, not just patients, who are residents of New York.
- Businesses can also be in compliance with the SHIELD Act, even if they are not a compliant regulated entity, by adopting a compliant data security program which covers administrative, technical, and physical safeguards to such private information.
Reasonable Administrative Safeguards include measures by which the person or business:
- designates one or more employees to coordinate the security program;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances.
Reasonable Technical Safeguards includes measures by which the person or business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures.
Reasonable Physical Safeguards includes measures by which the person or business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Small businesses also must adopt reasonable administrative, technical, and physical safeguards in order to comply with the SHIELD Act. However, those safeguards may be adjusted based on several factors, including the size and complexity of the business, the nature and scope of the small business’s activities and the sensitivity of the personal information the small business collects.
As the SHIELD Act extends to all individuals and businesses, including those outside of New York, that maintain private information of New York residents, Connecticut businesses should assess the applicability of the SHIELD Act and their data protection procedures in order to ensure compliance.
Disclaimer: The information contained in this material is not intended to be considered legal advice and should not be acted upon as such. Because of the generality of this material, the information provided may not be applicable in all situations and should not be acted upon without legal advice based on the specific factual circumstances.