As data breaches increase in frequency and severity, regulators are implementing new data privacy laws to reduce consumer risk.
Currently, there are no comprehensive data security or privacy laws at the federal level. As a result, individual states are implementing laws to protect their residents. Unfortunately, this creates a complex maze of overlapping data privacy laws businesses must follow. The NY Shield Act is an example of one of these laws.
What is the NY Shield Act?
The NY Shield Act, or Stop Hacks and Improve Electronic Data Security Act, is a set of laws that require businesses to take specific steps to ensure the security and privacy of sensitive customer data. Implemented in 2020, it amended the New York state’s existing data breach notification law to impose stricter data security requirements on companies to protect consumers’ personally identifiable information from misuse, breach, or unauthorized access.
Who Needs to Comply with the NY Shield Act?
The NY Shield Act applies to all companies operating in New York State or gathering information from residents of New York, even if they are not based in New York or the United States.
What’s Required of Businesses?
Businesses must implement a Data Security Program and reasonable safeguards to ensure private information is stored and erased safely. This prescription includes physical, technical, and administrative controls to protect sensitive information. Additionally, businesses must notify customers whose data has been compromised if a breach occurs.
What Are the Consequences of Non-Compliance?
Businesses must take “reasonable” steps to comply with the NY Shield Act. Companies that fail to take these steps or lack proper security measures could face fines and penalties. Fines for non-compliance start at $5,000 up to a maximum of $250,000, and the state Attorney General can also initiate a civil action case and levy penalties against violators.
Recent civil actions lawsuits for violations of the Shield Act include:
- Wegman’s agreed to pay $400,000 in penalties in June 2022 after it was discovered that cloud storage containers hosted on Microsoft Azure were left unsecured and open to public access, potentially exposing consumers’ data.
- A 2020 agreement with EyeMed that resolved a 2020 data breach that compromised the personal information of approximately 2.1 million consumers nationwide required that the company pay $600,000 in penalties.
- In 2022, the NY AG and 45 other Attorneys General received $1.25 million from Carnival Cruiseline as part of a multistate settlement after a 2019 data breach exposed the personal information of 180,000 Carnival employees and customers nationwide.
“In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers,” wrote NY Attorney General Letitia James regarding the Wegman’s settlement.
Is this like CCPA?
Yes and no. CCPA is a data privacy law, while the SHIELD Act is a security regulation. The California Consumer Privacy Act focuses on data privacy, and the NY SHIELD Act is a security law. The CPRA, a later update to the CCPA, includes data security provisions.
The main takeaway is that, just as with the CCPA, businesses must comply with the Shield Act if it conducts business in the state or collect information from residents, even if the company is located outside the state.
What Are the Key Requirements of the SHIELD Act?
The NY Shield Act requires companies to:
- Implement security measures appropriate for the size, scope, and type of business.
- Ensure their service providers maintain the same level of data security as you do.
- Create a written Information Security Program to protect sensitive customer information from unauthorized access or use.
- Regularly assess and test the security of your systems.
- Provide training to your staff on security and privacy best practices.
- Notify customers in a timely manner in the event of a data breach.
How Can I Comply with the NY Shield Act?
The best way to comply with the NY SHIELD Act is to create an Information Security Program that addresses the requirements of the law. The program should include policies and procedures for protecting sensitive information, such as multifactor authentication and access control measures, regularly testing your systems, training staff on data security best practices, and providing timely notification to customers in the event of a breach. You should also ensure that any third-party vendors you use are compliant.
Data Security vs. Data Privacy: What’s the Difference?
It’s essential to understand that data security and data privacy are not interchangeable terms. While both aim to protect data, they focus on different aspects. Data privacy focuses on individuals and their rights to protect their personal information from being used by companies and governments without consent. Data security protects against unauthorized access to sensitive information by employees, bad actors, or malicious software. Ultimately, the goal is to ensure that data remains safe so that organizations and consumers can trust that their data is being used as intended.
Next Steps for Compliance
The NY SHIELD Act is a vital law for protecting sensitive information and maintaining consumer trust in an organization. Business executives must ensure full compliance with the law, including implementing a data security program, performing routine assessments, and appropriately responding to security incidents. Working with an IT partner experienced with the Shield Act and other data privacy laws and regulations is ideal. Protecting customer data is essential in today’s digital world and can only be achieved through implementing effective security measures.