Cybersecurity is an area that virtually every business owner has become familiar with given the volume of daily online interaction between businesses and their clients.  The New York State Legislature recently enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which will take effect on March 21, 2020, in order to impose data security requirements on New York companies. The law requires businesses to implement safeguards that protect New York State residents’ private information, applies to all businesses that collect such information regardless of size or location.  The SHIELD Act, which takes effect later this month, aims to ensure that when a person shares private information with a business it is adequately protected from an unauthorized third party.

The types of private information that are subject to cybersecurity, according to the Act, include a person’s name when it is coupled with the person’s social security number, driver’s license number, financial account number or biometric information including a person’s fingerprint.  Also included is a username or email address when attached to a security question and answer that allows access to the individual’s email account.  Private information does not include information available to the general public from available public records maintained by a government agency.  An example is information provided on a deed that is recorded in a County Clerk’s office.

In order to adequately comply with the Act, businesses must put into action a data security program that provides the following:

(i) reasonable administrative safeguards including designating an employee or employees to manage the security program, review of current safeguards and the selection of adequate service providers to properly maintain safeguards and adequately address expected risks;

(ii) reasonable technical safeguards to assess risks in software design, transmission and storage of information and to regularly test the efficiency of implemented safeguards; and

(iii) reasonable physical safeguards that assess risks, detect and respond to system breakdowns and regularly test the efficiency of key controls.

Certain businesses are currently regulated by government agencies that require data security measures.  These businesses are defined in the Act as “compliant regulated entities” and are deemed to be in compliance with the Act given the existing obligation to provide data security to customers and clients pursuant to laws enacted prior to the SHIELD Act including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Gramm-Leach-Bliley Act which is also known as the Financial Modernization Act of 1999.

Businesses that knowingly and recklessly fail to comply with the SHIELD Act will risk being subject to a claim brought by the NYS Attorney General’s Office that can result in injunctive relief and civil penalties.  The full text of the Act is available at https://www.nysenate.gov/legislation/bills/2019/s5575