New York's SHIELD Act
In 2019, New York State passed new legislation, the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), N.Y. Gen. Bus. Law § 899-bb. The SHIELD Act requires businesses to implement reasonable safeguards to protect the security and confidentiality of the private information of New York State residents.
A business must adopt a data security program, and take the following measures:
Identify company employees who are responsible for enforcing the program.
Identify reasonably forseeeable external and internal risks.
Assess the adequacy of the safeguards, in particular evaluating:
data processing risks
data transmission risks
data storage risks
Provide training in the security program to its employees.
Engage service providers who are contractually bound to implement the safeguards.
Update the program as circumstances change.
Respond to attacks or failures of its system.
Test the effectiveness of its program.
Dispose of information when it is no longer needed for any business purpose.
The SHIELD Act specifically directs that electronic media be erased so that data cannot be reconstructed when private data is disposed of.
The measures taken by a smaller business need only be proportional to the resources of the business; the scope of its activities; and the nature of the personal information it collects, if the business has fewer than 50 employees; less than $3M in gross annual revenue for the past 3 years; or has less than $5M in total assets.
A business will be automatically considered to be in compliance with the SHIELD Act if it complies with the regulations of the following:
1. Title V of the Gramm-Leach Bliley Act which addresses consumer data held by financial institutions.
3. Health Information Technology for Economic and Clinical Health Act
4. New York State's cybersecurity requirements for financial services companies under 23 CRR-NY § 500; OR
5. The data security regulations of any other federal or New York state department or agency.
The SHIELD Act added biometric data, and user & password account information, to SSN, driver license number, bank account number, and credit card number data covered by earlier legislation.