With the coronavirus (“COVID-19”) pandemic dominating the news these days, it is understandable that many missed that New York’s Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act went into full effect on March 21. The SHIELD Act allows the New York Attorney General to prosecute businesses that fail to provide proper data breach notices and those that have unreasonable data security standards. Companies that fail to comply with these security standards requirements may face civil penalties of up to $5,000 per violation.
The SHIELD Act was implemented in two phases. The first phase broadened New York’s existing breach notification requirements and went into effect in October 2019. The second phase requires businesses to adopt reasonable safeguards and went into effect on March 21.
In terms of reasonable security measures, the SHIELD Act requires businesses that own or license New York residents’ private information to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” The SHIELD Act divides these safeguards into three categories: “administrative, technical and physical safeguards,” and specifies different examples within each category.
For example, these safeguards include mandates that businesses designate one or more employees to coordinate the security program, train and manage employees in the security program practices and procedures, and dispose of private information within a reasonable amount of time after it is no longer needed for business purposes. Luckily, a list of these safeguards has been available since July 2019, when the SHIELD Act was enacted.
The SHIELD Act gives small businesses leeway to implement these safeguards in ways that are “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
Considering how the SHIELD Act’s security requirements apply to any business that collects or maintains New York residents’ private information, and New York is the fourth-most populous state, the law is likely to have a broad impact. Furthermore, as COVID-19 has forced consumers to interact online now more than ever, businesses should be especially aware of their data security obligations under the new legislation.