Effective as of March 21, 2020, New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)requires that nearly all businesses, regardless of where they are based, take affirmative steps to protect computerized private information of New York residents.

The law does not apply to “small businesses,” which the SHIELD Act defines as those that have fewer than 50 employees, less than $3 million in gross annual revenue in each of the last 3 fiscal years, or less than $5 million in year-end total assets. However, small businesses must ensure that data security safeguards are appropriate for their size and complexity, the nature and scope of their activities, and the sensitivity of the personal information they handle. Businesses subject to other federal or New York State regulatory schemes governing data security are exempt.

As expanded by the SHIELD Act, “private information” of a New York resident is defined as:

1. a username or email address in combination with a password or security question and answer that would permit access to an online account; or
2. personal information (name, number, personal mark, or other identifier that can be used to identify a natural person) in combination with any one or more of the following data elements, when either the data element alone or the data element in combination with the personal information is not encrypted or is encrypted with an encryption key that has been accessed or acquired:
   • Social Security number;
   • driver’s license number or non-driver ID card number;
   • account number, credit or debit card number (a) in combination with any required security code, access code, password, or other information that would permit access to an individual’s financial account, or (b) if circumstances exist wherein such number can be used to access an individual’s account without additional identifying information, security or access code, or password; or
   • biometric information, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data that is used to authenticate or ascertain an individual’s identity.

Effective October 2019, the SHIELD Act expanded requirements for business to notify affected New York residents in the event of an electronic data breach. Effective March 2020, businesses covered under the SHIELD Act must develop and implement a data security program that contains reasonable safeguards to protect the security, confidentiality, and integrity of such information and its disposal. A compliant data security program includes:

• reasonable administrative safeguards, such as designating one or more employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, and assessing the sufficiency of safeguards in place to control the identified risks;
• reasonable technical safeguards, such as assessing risks in network and software design, information processing, transmission, and storage, and testing and monitoring the effectiveness of procedures to detect and respond to attacks or system failures; and
• reasonable physical safeguards, in which the business assesses the risks of information storage and disposal, implements procedures to detect, prevent, and respond to intrusions, and protects against unauthorized access to or use of private information.

The SHIELD Act does not create a private right of action, but the New York attorney general may sue to enjoin violations of the act and seek civil penalties.

Businesses that are covered by the SHIELD Act may want to review their data security programs closely with their legal, HR, and information technology professionals.