By: Mary F. Ognibene
The data security requirements of New York’s “Stop Hacks and Improve Electronic Data Security (SHIELD) Act” became law on March 21, 2020. The inadvertent timing of that overlap with the beginning of the Coronavirus pandemic in New York State only serves to underscore the importance of data security as threats steadily increase while frameworks adapt to large portions of the economy switching to remote work.
As a quick primer, the Shield Act is specifically designed to protect New York State residents from exposure of private information due to cyber-attacks, and it does so by increasing data protection and data breach notification requirements binding businesses that collect that information.
At the heart of the data protection requirement of the Shield Act is a data security program to be developed by individuals and businesses (regardless of physical location) if they own or license computerized data that contains private information of New York residents. The Shield Act defines “private information” to mean either (a) personal information (individually identifiable information, such as a name) in combination with (i) a social security number, (ii) a driver’s license number, (iii) an account number, credit or debit card number (whether or not paired with a security code), or (iv) biometric information (fingerprint, voice print, retina, iris image, etc.); or (b) a user name or email address in combination with a password or security question and answer that would permit access to an online account.
Regulated organizations subject to and in compliance with the federal Gramm-Leach Bliley Act, HIPAA, the Health Information Technology for Economic and Clinical Health Act, and/or the New York State cybersecurity regulations are deemed to be in compliance with the data protection requirement of the Shield Act without further action.
Individuals and businesses falling outside the purview of the above-referenced laws and regulations must implement a data security program to protect the security of the private information of New York residents housed in the computerized data they own or license. To that end, any party in this category should adopt a written information security plan (a “WISP”) to document its data security protocol and the method by which it avoids and responds to security incidents. WISPs responsive to the Shield Act should take particular care to reflect the reasonable administrative, technical and physical safeguards prescribed by New York State for all individuals and businesses subject to Shield Act requirements. You can read about those safeguards here: THE SHIELD ACT - New York State Cybersecurity Law Updates
Take note that businesses of any size across New York State should be looking at developing a WISP. Small businesses in particular (a person or business with (a) fewer than 50 employees, (b) less than $3,000,000 in gross annual revenue in each of the last 3 fiscal years, or (c) less than $5,000,000 in year-end total assets) are deemed to have already met the reasonable security requirement of the Shield Act if the small business’s security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. By developing a WISP, a small business will establish a documented protocol to administer its data security network, which can prove those very requirements.
While the Shield Act evidences the serious and expanding effort by New York State to address growing cybersecurity risks, the WISP offers businesses a centralized written protocol to document their security efforts and ongoing compliance. WISPs should also be frequently reviewed to ensure they adapt to ongoing business needs as well as changes in the cybersecurity landscape. This takes on particular importance in these Covid times.
We encourage consultation with legal counsel as well as IT professionals to ensure you develop a customized WISP in compliance with Shield Act requirements.
This publication is intended as an information source for clients, prospective clients, and colleagues and constitutes attorney advertising. The content should not be considered legal advice and readers should not act upon information in this publication without individualized professional counsel.
McConville Considine Cooman & Morin, P.C. is a full-service law firm based in Rochester, New York, providing high-quality legal services to businesses and individuals since 1979. With over a dozen attorneys and a full paralegal support staff, the firm is well-positioned to right-size services tailored to each client. We are large enough to provide expertise in a broad range of practice areas, yet small enough to devote prompt, personal attention to our clients.
We represent a diverse range of clients located throughout New York State and New England. They include individuals, numerous manufacturing and service industry businesses, local governments, and health care professionals, provider groups, facilities and associations. We also serve as local counsel to out-of-state clients and their attorneys who have litigation pending in Western New York courts. For more information, please contact us at 585.546.2500.