How Organizations Can Prepare for New York’s SHIELD Act

The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into full effect March 21, 2020. Amid the onset of COVID-19, it was easy to overlook the significance of this new law, but it has now been in full effect for quite some time and requires attention from organizations of all kinds.

The SHIELD Act expands the definition of “private information” covered under the state law, broadens the circumstances that are considered a data breach, and outlines security safeguards that organizations must follow if they own or maintain data on New York residents. Importantly, failure to comply with the law can carry a fine of up to $250,000.

Which Organizations are Subject to the NY SHIELD Act?

Any organization that collects or maintains computerized private information on New York residents, even if the organization does not own that data or is not located in the state, is subject to the SHIELD Act. 

This type of compliance based on customer location rather than business location is common among privacy laws, but it’s particularly noteworthy in the case of the SHIELD Act since New York’s previous law only applied to organizations that conducted business in the state. Additionally, New York’s position as one of the most highly populated states in the US gives the SHIELD Act a wide reach.

New York does modify compliance expectations for certain small businesses and federally regulated organizations:

Small businesses

• Who: Any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets (based on generally accepted accounting principles). 

• Compliance Modification: These organizations must follow all data breach notification policies but can adjust the required safeguards to make them more appropriate for the size and scope of their business as well as the sensitivity of the data they collect.

Federally regulated organizations

• Who: Any business subject to the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act, or New York Division of Financial Services Cybersecurity Regulation. 

• Compliance Modification: These organizations do not need to issue another notification to consumers in the case of a data breach beyond what’s already required, but they do need to notify the applicable state agencies and consumer reporting agencies. The cybersecurity measures required under these regulations also qualify these organizations as compliant with the safeguards required by the SHIELD Act.

Finally, since compliance with the SHIELD Act focuses on “private information,” it’s important to understand what that looks like under the law’s expanded definition. New York has defined private information to include:

• Personal information (any name, number, personal mark, or other identifier that can be used to identify a natural person) in combination with at least one of the following, when either the data is not encrypted or when the encryption key has also been accessed or acquired:
  • Social security number
  • Driver’s license number or non-driver identification card number
  • Account, credit card, or debit card number, in combination with any required security code, access code, or password that would grant access
  • Account, credit card, or debit card number, if the account can be accessed without any additional identifying information, security code, access code, or password
  • Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation used to authenticate or determine identity
• A username or email address in combination with a password or security question and answer that would grant access to an online account

The latter three data points — financial account information without a security code, biometric information, and username/email address in combination with password — are all new elements of what’s considered private information under the SHIELD Act.

How is the SHIELD Act Enforced?

Responsibility for enforcing the SHIELD Act sits with the New York Attorney General, who can issue civil penalties of up to $5,000 per violation. 

The attorney general can also issue a penalty for failing to comply with breach notification requirements. The law dictates this penalty should be $20 per instance of failed notification, not to exceed $250,000. 

The attorney general has three years from the time the office becomes aware of a breach to issue a penalty, with no action allowed to be taken after six years from the date of discovery. One notable exception to this rule is if organizations take steps to hide the breach. 

There is no private right to action in New York under the SHIELD Act.

What Does the SHIELD Act Require for Incident Response?

Any data breach that compromises private information requires incident response in the form of a breach notification under the SHIELD Act. Importantly, the SHIELD Act updated what exactly this means in the state of New York.

Previously, data breach notifications were only required in cases when an unauthorized party acquired private information. Under the SHIELD Act, notifications are now required in cases when unauthorized parties access private information (e.g. in cases that indicate information was viewed, communicated with, used, or altered by a person without valid authorization). Overall, the shift from acquisition to access creates a significantly lower threshold for what constitutes a data breach.

The SHIELD Act only grants two exceptions to issuing a data breach notification under these requirements:

• If the organization is already required to issue a notification under one of the designated federal regulations.
• If the point of access was due to an inadvertent disclosure from someone with authorized access, and if the organization can reasonably determine that the instance is not likely to result in any misuse or financial or emotional harm to the affected individuals. In this case, organizations must document this determination in writing and maintain that record for at least five years. Additionally, if the disclosure included information on more than 500 New York residents, the organization must share this written determination with the state attorney general within 10 days of completing it.

In all other cases, organizations must issue a data breach notification to all affected New York residents and the state attorney general. While the SHIELD Act does not outline any timing requirements for issuing this notification, the law does include guidelines for how to issue a notification and what information it must include.

How to Issue a Notification

Organizations have three options for issuing a data breach notification:

• Written notice
• Electronic notice, only in cases where individuals have expressly consented to receiving this type of notice and acceptance was not required as part of doing business (requires a log of all notifications)
• Telephone notice (requires a log of all notifications)

The SHIELD Act also allows for a substitute notice if the cost of issuing a notification would exceed $250,000, if the incident affected more than 500,000 New York residents, or if the organization doesn’t have sufficient contact information. A substitute notice should include all of the following:

• Email notice, if email addresses are available and the breach did not compromise email address and password/security question (if it did, organizations must instead provide a clear and conspicuous notice online when the consumer is connected via an IP address or an online location they regularly use to access their account)
• Conspicuous posting of the notice on the organization’s website, if it has one
• Notice to major statewide media

What to Include in the Notification

The notification to affected New York residents must include:

• Contact information for the organization
• Telephone numbers and websites for the relevant state and federal agencies that provide information regarding security breach response, identity theft prevention, and protection information
• Description of the categories of information that were accessed or acquired by a person without valid authorization, including specifics about which elements of data were involved

Organizations must also alert the state attorney general, the department of state, and the division of state police about the timing, contents, and distribution of notices, including a copy of the template notice sent to consumers. 

Finally, if the breach affected more than 5,000 New York residents, organizations must also notify consumer reporting agencies about the timing, content, and distribution of notices, as well as the approximate number of individuals affected.

What Types of Privacy Incidents Qualify as a Data Breach Under the SHIELD Act?

By expanding the definition of private information and changing breach qualifications from “acquisition” to “access” of that information, the SHIELD Act sets a lower threshold for what’s considered a data breach that requires notification. However, it also makes an exception for cases of inadvertent disclosure, which is contrary to many other privacy laws like the EU’s GDPR and California’s CCPA and CPRA.

With that in mind, there are still a variety of instances that can trigger data breach notification requirements under the SHIELD Act. Some of the most common examples include:

Man in the Middle Attacks

A man in the middle attack occurs when a hacker sits in between a digital conversation (e.g. one between two people or a person and a machine) and intercepts the information passing back and forth. Hackers most often gain access to intercept information in this way through unsecured public wifi networks. Any time a hacker can establish this connection and intercept information, they create a potential data breach situation.

Password Attacks

A password attack occurs when an unauthorized party gains access to a user’s password and uses that information to access secure systems. Hackers can attain this password information in a variety of ways, such as through social engineering attacks, password databases, or even by guessing simple passwords. Cases where employees with authorized access fall victim to a password attack that gives a hacker unauthorized access to a company’s secure systems can trigger a data breach notification under the SHIELD Act.

Improperly Exposed Data

A company that improperly exposes personal data, for example by failing to properly encrypt it or even sharing it with the wrong party, may have to issue a data breach notification under the SHIELD Act. Although New York does offer protection in the case of inadvertent disclosures, organizations must “reasonably determine” the incident caused no harm to the affected consumers (which still requires an investigation and a report to the State Attorney General). This nuance is something organizations should be aware of, particularly given the lack of definition to date around “reasonable determination.”

How Can Organizations Prepare for the SHIELD Act?

Organizations must take responsibility for protecting consumers’ private information, as the SHIELD Act requires businesses to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information.” 

The law goes so far as to outline reasonable administrative, technical, and physical safeguards required for compliance (applicable to any business not following one of the designated federal regulations). These safeguards include:

Based on these requirements, particularly the administrative requirements, organizations should pay close attention to three critical phases of incident response:

1) Readiness

What: Have a response plan ready that allows for a quick and confident response when an incident occurs. 

Why: Even with all the right safeguards in place, privacy incidents are now a matter of “when” not “if,” and a faster response can reduce the associated costs.

How: Understand what’s required by any applicable laws, like the SHIELD Act, and what’s outlined in customer and partner contracts. Then develop incident response plans accordingly.

2) Response

What: Act on response plans when an incident does occur.

Why: Remain compliant with all regulations, including New York’s investigation and notification requirements, to avoid any penalties and maintain trust with consumers.

How: Identify what happened, including who was affected, what data was accessed, when it happened, and what the potential risks are. Determine if a notification is required based on the circumstances and, if it is, issue that notification to the affected individuals and agencies with the complete information based on privacy laws like the SHIELD Act. Along the way, it’s important to start fixing the issue to prevent it from happening again.

3) Ongoing Management

What: Revisit incident response on a regular basis.

Why: Incident response measures will need to change based on updates to privacy regulations, customer and partner contracts, and potential security threats. The SHIELD Act also requires these types of ongoing adjustments as part of its administrative safeguards for compliance.

How: Introduce a centralized dashboard that creates a single source of truth for all reporting, monitoring, and incident response plans. Ensure all stakeholders have access to that dashboard so that they have visibility into security measures and response plans and can stay aligned on any adjustments to those plans.

What Can Organizations Expect from New York When it Comes to Enforcing the SHIELD Act?

Although we have yet to see any high profile cases with hefty fines for organizations that violate the SHIELD Act, two recent actions by the New York Attorney General reveal that the state is serious about enforcing the new privacy law.

This attention to enforcement is important to note since responsibilities sit with the attorney general’s office, which also has many other areas of focus that could distract attention from SHIELD Act violations, as opposed to a dedicated enforcement agency (as is the case in California and Brazil).

New York Warns Zoom to Strengthen Security Measures

On March 30, 2020, shortly after the final elements of the SHIELD Act went into effect, the New York Attorney General issued a letter to video-conferencing company Zoom about its security measures.

Specifically, as Zoom experienced a surge in usage when the COVID-19 pandemic hit, a handful of security concerns surfaced. For example, users reported instances of “Zoombombing,” or unauthorized guests entering private meetings, and it was discovered that Zoom passed certain data to Facebook and LinkedIn. 

In response, the New York Attorney General sent a letter to Zoom raising concerns about their security measures and asking the company to detail what they would be implementing in response to the recently discovered flaws.

Zoom announced a plan to improve security and privacy within one day of receiving the letter and the state opted not to move forward with any kind of enforcement, citing the value Zoom was providing by making its service available for free during the height of the pandemic.

New York Reaches Agreement with Dunkin’ Brands to Improve Security

In September 2019, just before the updated data breach notification elements of the SHIELD Act went into effect, the New York Attorney General issued a complaint against Dunkin’ Brands based on the company’s data security practices.

The complaint alleged that the company had experienced several data breaches regarding its customer rewards program, DD Perks, from 2015-2019 that provided access to consumers’ personal information and that the company failed to take corrective action to prevent future occurrences.

Ultimately, the New York Attorney General and Dunkin’ Brands reached an agreement that required the company to pay a penalty of $650,000 (not based on the SHIELD Act, which was not yet in effect) and to introduce new measures to protect consumer data. These measures are aligned with the SHIELD Act, as they require Dunkin’ Brands to maintain a comprehensive security program based on designated administrative, technical, and physical safeguards.

Why Proactive Incident Response Matters

The New York SHIELD Act is yet another example of privacy laws popping up worldwide that make it essential for organizations to proactively prepare incident response plans.

Proactively preparing for incident response is not only required by laws like the SHIELD Act, but it can also deliver enormous benefits to organizations at a time when data breaches are inevitable. 

This type of preparation can ensure compliance with laws even as they continue to change, and therefore reduce associated penalties in many cases (e.g. in the case of the SHIELD Act, which also includes a penalty for failure to properly notify residents of a breach). Additionally, it can help organizations recover from incidents faster and maintain trust with customers.

Delivering on this type of proactive preparation means organizations must regularly track new regulations, develop response plans accordingly, assign responsibility for acting on those plans, and regularly manage those plans based on changes to regulations.