NY SHIELD Act: Are you Ready?

Coming to New York in March 2020 is the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act updates the approach to cybersecurity in New York, requiring proactive actions on the part of companies to protect personal data of New York residents. This means that the SHIELD Act, like a lot of more recent regulations (i.e. GDPR and CCPA), has an extra-territorial effect. The SHIELD Act does not only implicate companies that are doing business in the Empire State, but any company that collects personal data on New York residents.  We provided a breakdown of key elements of the NY SHIELD Act in a previous post, available here

But, as the deadline for the Act is fast approaching,if you are a company that collects (or has collected) personal data on New York residents, what do you need to do? 

Short answer: SOMETHING

Remember, it is just customer data- but also employee data, vendor data . . . basically, all data. Cybersecurity works in two (2) ways. It requires an organization to protect, one, external facing data; i.e., customer/client data. It also requires an organization to protect, two, employee data. Companies need to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information” for both types of data. 

How does an organization protect the integrity of private information? It can, and should,  implement administrative,technical and organizational safeguards. Administrative safeguards, include: 

  • Designating one or more employees to coordinate the security program;
  • Performing risk assessment to determine foreseeable internal or external risks and assess the sufficiency of safeguards in place to control the identified risks;
  • Train and manage employees in the security program practices and procedures; 
  • Vet third party vendors; and
  • Implement contractual provisions that require data privacy/security safeguards on vendors. 

Certain technical safeguard should include assessments of risks in network and software design, information processing, transmission, and storage. And let us not forget regular testing and monitoring of the systems. This is not a set it and forget it problem; your solutions and systems need to continue to evolve as technology, and the associated risks, also evolve.

In addition, an organization needs to include physical safeguards which include risks associated with the storage and disposal or data. For those organizations that are used to compliance, the SHIELD Act seems commonplace (i.e. healthcare entities who fall under the Health Insurance Portability and Accountability Act (HIPAA). However, for others that are not in a traditionally regulated industry, the SHIELD Act can seem onerous and confusing.

Another point of confusion is that, like most cybersecurity regulations, the SHIELD Act does not mandate specific safeguards. While companies are frustrated by this, it is intentional to allow a flexible approach for companies to comply. An organization will “be deemed to be in compliance with” this standard if it implements a “data security program”. The elements of a specific data security program are enumerated above, but be careful: this is not a one size fits all proposition. Be wary of any “compliance in a box” solution. Most companies work very hard at differentiating themselves in the market. That differentiation, while critical from a marketing perspective, also makes roat compliance practically impossible. Embracing the differences in a business is critical, not just from a marketing perspective, but from a cybersecurity perspective as well.  

Finally, what are most organizations concerned with when it comes to a regulation? Penalties. For the SHIELD Act, the New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000. The proactive requirements of the SHIELD Act will not take effect on March 21, 2020, so there is still time to comply. 

What are the key things you should do today?

  1. First, assess the situation. What type of data is your organization collecting and why? Understanding data is the first step to compliance with any regulation. 
  2. Next, don’t assume that just because you have some data that requires the company to be compliant with other privacy-oriented regulations (i.e., HIPAA or the Gramm Leach Bliley Act (GLBA)) that all of the data is complaint. 
  3. And finally, embrace the change. The simple fact is, regulations in cybersecurity and data privacy are here and multiplying. It seems like each year we are faced with a new law that has new implications. Be aware of what regulations your organization is required to comply with, but also think ahead. Just because you are not triggering regulations today does not mean you will not tomorrow. 

The NY SHIELD Act, and the many regulations that have gone or will go into effect, are not there simply to torture companies, but to prepare them for the realities of the digital world that we live in today. Because, in cybersecurity and data privacy most especially, luck favors the prepared.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.