CYBER RISK CLIENT ALERT: The SHIELD Act Requires Corporations to Implement Cyber-Security Measures

by

Introduction

New York will soon take another step forward towards protecting residents’ confidential data. As of March 21, 2020, any company that owns or licenses computer data that contains the private information of a New York resident must implement and maintain reasonable measures to protect that information.  This new legislation impacts any business that obtains or preserves New York residents’ confidential information regardless of where that business is located.  New York’s expanding protection serves as yet another reminder of the importance of corporate cyber-resilience.

In 2005, New York enacted the “Information Security Breach and Notification Act.”[1] (“Notification Act”).  As with other states throughout the country, the New York State legislature recognized the significant adverse impact of data security breaches as well as identity theft, and further recognized that New York residents were “hindered by a lack of information regarding breaches. . . .”  Accordingly, the state legislature enacted the Notification Act to ensure that New York residents are properly informed in the event of a data breach, as such information would empower residents to implement measures designed to repair damage and, if possible, prevent future damage from a data breach.

The October 2019 Amendment

Recently, the New York legislature recognized the need for the law to keep pace with technological developments. Effective October 23, 2019, New York renamed the Notification Act as the “Stop Hacks and Improve Electronic Data Security Act”, colloquially called the “SHIELD Act”. 

The SHIELD Act has broadened the definition of what is considered “private information”, which includes personal information (as defined by the act), social security and drivers’ license numbers, account and credit card numbers coupled with passwords, as well as email addresses or user names and passwords or other security information. Importantly, the SHIELD Act provides that “private information” also includes “biometric information” which is defined as any “data generated by electronic measurements of an individual’s unique physical characteristics” and this data includes “a fingerprint, voice print, retina or iris image, or other unique physical representations or digital representations of biometric data which are used to authenticate or ascertain the individual’s identity. . . .” The SHIELD Act does not consider “medical information” to be “private information.” 

Under the SHIELD Act, New York’s notification requirements are triggered in the event an unauthorized individual acquires or obtains access to private information.  In other words, under the broader language of the SHIELD Act, a breach occurs if an unauthorized individual obtains access to private information without actually acquiring it.  This expanded protection afforded to New York residents requires a higher degree of vigilance by corporations covered by the Act.

Data Security Measures Must Be Implemented By March 21, 2020

Starting on March 21, 2020, the SHIELD Act will require corporations to affirmatively implement reasonable data security measures.  Under this portion of the Act, businesses will be required to initiate and maintain a data security program that includes reasonable administrative, technical and physical safeguards.  It is critical that any covered businesses are proactive in their efforts to comply with the technical requirements of the SHIELD Act.        

Legal Consequences

A business that fails to comply with the SHIELD Act’s notification requirements or mandate to implement reasonable security measures may be subject to serious legal consequences.  While the SHIELD Act does not itself create a private cause of action or provide a basis for class action lawsuits, the Act does authorize the New York Attorney General to initiate appropriate legal action.  In such an action, the SHIELD Act allows a court to award actual costs as well as “consequential financial losses” incurred by a New York resident who was entitled to but did not receive notice required by the Act.  Courts are also authorized to impose a civil monetary penalty in appropriate circumstances.

Corporations Must Proactively Pursue Cyber-Resilience

The approaching effective date of the SHIELD Act is yet another reminder of the importance of cyber-resilience.  Given the virtual inevitability of a cyber-related event, it is critical for all organizations to implement and adhere to best practices in order to minimize the risk of a cyber-attack.  Companies must engage in appropriate employee training and risk assessment activities, should endeavor to destroy stale private information that no longer serves a business purpose, must only retain vendors who implement appropriate cyber-security safeguards, and should regularly evaluate the nature and extent of applicable insurance coverage.

[1] N.Y. General Business Law § 899-aa.

Get Updates By Email

Blog Contributors