Time is running out. The effective date of New York’s cybersecurity law mandating that organizations implement an information security program to protect “private information” of New York State residents, including employee and consumer data, is now only 45 days away. New York’s law requires the implementation of a cybersecurity program, including reasonable protective measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately take steps to comply with the Act’s requirements effective March 21, 2020. New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
As we first reported last year at the time of the Act’s passage, the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT), signed into law on July 25, 2019, requires implementation of an information security program to protect “private information” defined as:
- any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
- individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
- a username or email address in combination with a password or security question and answer that would permit access to an online account.
The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
In order to achieve compliance, an organization must implement a data security program that includes:
- reasonable administrative safeguards that may include designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, and selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract;
- reasonable technical safeguards that may include risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and
- reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.
All organizations that collect private information must independently satisfy the SHIELD Act three-part standard for protecting sensitive individual information. However, regulated organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.
Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. Press releases from the New York State Office of the Attorney General are here: June 17 and July 25, 2019. Any enforcement activity by the Attorney General’s office will also have other damaging consequences, such as damaging publicity and raise supply chain issues with the firm’s business partners. Private litigants bringing data breach lawsuits will almost certainly assert that any non-compliance shows a disregard of standards of due care in asserting negligence claims for failing to protect sensitive individual information. See our August 12, 2019 Client Advisory for What Businesses and Employers Should Do Now.