By Susie Kenerson, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
The Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (Senate Bill 5575) was signed into law on July 25, 2019. The Act amends Article 39-F of New York’s general business law, which includes data breach notification requirements for businesses and adds a new mandate for businesses to have programs for data protection and security of their information systems.
Article 39-F is now titled Notification of Unauthorized Acquisition of Private Information; Data Security Protections and includes Section 899-aa and the new Section 899-bb.
Businesses who must abide by data breach notification requirements broadens significantly with the SHIELD Act. Article 39-F currently governs only businesses conducting business in New York state. However, the SHIELD Act extends the requirements to any businesses who own or license computerized data which includes private information of New York residents, including businesses operating outside the state. In addition, these same businesses are now required to have programs for data protection and security of their information systems.
The amendments to data breach notification requirements are effective October 23, 2019.
The new data security protection requirements are effective March 21, 2020.
Significant requirements brought by the SHIELD Act are:
Protection of Private Information
Businesses that own or license computerized data which includes private information of New York residents are required to have a specific program for data protection and security of their information systems.
Businesses will be deemed compliant with the SHIELD Act if they implement and maintain specific administrative, technical and physical safeguards appropriate to the business based on size, type of business activities, and sensitivity of private information held by the business. Such measures include:
Entities are deemed compliant if they follow data security requirements of Title V of the Gramm-Leach-Bliley Act, HIPAA, HITECH, 23 NYCRR 500, or other regulated federal or New York state department, division commission or agency.
The Attorney General may bring an action for violations. The court may issue an injunction to prevent a business against violations. In addition, damages may be awarded for consumer losses and costs involved for failure to provide consumer notification as required.
Penalties for knowingly or recklessly violating the notification requirements begin at $5,000 or up to $20.00 per failed notification, and can amount up to $250,000. This fine has increased from $10.00 per instance or $150,000 maximum amount.
In addition, non-compliance with the new data protection and security requirements will be considered deceptive acts and practices, with civil penalties up to $5,000 per violation.
Businesses conducting business in and outside of New York who maintain private information of New York residents must take note of the updated requirements for data breach notification that become effective October 23, 2019 and must ensure they are compliant with the data and security protections by March 21, 2020.