March 21, 2020, may have marked the beginning of a new era in how American laws hold businesses accountable for their data practices. That’s the date that New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect, and, to quote The National Law Review, “we can expect vigorous enforcement.”
If your business collects the personal data of New York residents — whether you’re a retailer with customers there or a company with New York-based employees — the SHIELD Act imposes a new set of obligations for controlling access to personal data and reporting breaches.
Below, we’ll answer some common questions about who the SHIELD Act affects, what exactly it requires, and how to achieve and maintain compliance.
Will the SHIELD Act Affect my Business?
The SHIELD Act applies to “employers, individuals, or organizations” that collect the “private information” of New York residents. Much like the California Consumer Privacy Act (CCPA), the SHIELD Act is a state law, but businesses don’t have to be headquartered or even do business in New York State to fall under its jurisdiction. The SHIELD Act applies to the data of employees, as well as customers, so it’s actually broader than CCPA, which granted a yearlong employee exemption.
In a nutshell: if your business has customers or employees in New York State, the SHIELD Act probably applies to you.
There are limited exceptions to the law. Healthcare companies will still be separately governed by HIPAA, and the finance industry has its own strict data regulations. There is also an exemption for SMBs, which the law defines as businesses with fewer than 50 employees, less than $3 million in gross revenue, or less than $5 million in year-end total assets.
The SHIELD Act’s definition of “private information” is distinct from most other privacy laws that apply to “personal data”: generally understood to mean any information that could be used to identify an individual. The SHIELD Act creates a new term, private information, to mean personal data coupled with data that could lead to an individual’s financial or online accounts being breached.
The law describes private information as personal data (name, physical address, IP address, etc.) plus any of the following elements, “when either the data element or the combination of personal information plus the data element is not encrypted or is encrypted with an encryption key that has also been accessed or acquired.”
Social security number, driver’s license number, or other state-issued identification
Account or card number, in conjunction with a security code, password, or other information that grants access to someone’s financial account
Biometric information used for identification (fingerprint, voice print, etc.)
Username or email address in combination with a password or security question and answer that grants access to an online account
If your business does not adequately control access to unencrypted private information, you could be penalized. Unlike CCPA, no actual breach needs to occur for the New York Attorney General (AG) to take action. Customers or internal whistleblowers can alert the AG if they suspect that private information is vulnerable. While there is no right to private action under the law, the NY AG can demand penalties of up to $5,000 per violation with a $250,000 cap. And according to PYMNTS, “The legal community expects that the law will be aggressively pursued.”
"NY’s #shieldact imposes a new set of obligations for controlling access to personal data and reporting breaches."
What Does the SHIELD Act Require?
As the SHIELD Act’s full name indicates, the law has two distinct goals: limit the impact of breaches that expose personal information, and, generally, mandate best practices around data security.
Breach Reporting Requirements
In the event of a data breach, any business that owns or licenses private information must disclose the breach to New York residents who may have been affected.
However, there is a major exception to this requirement: notification is not required if the breach was “an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”
In other words, if your head of HR accidentally shares a spreadsheet of your employees’ addresses and SSNs with someone else in your organization, you don’t have to publicly announce this error. But even if you fall under the exception, you must still document the breach and your rationale for not reporting it to the public. Furthermore, if the breach affects more than 500 New York residents, you must also provide that documentation to the AG within 10 days of determining that it is an exception.
Data Security Requirements
The SHIELD Act requires “reasonable safeguards” to protect data, and it goes farther than many other laws in laying out exactly what those are.
The law says that businesses can be considered compliant by instituting a data security program with the following elements, which are broken up into administrative, technical, and physical safeguards:
Tasking at least one employee with coordinating security (for most organizations, this is the CISO and their team)
Identifying internal and external risks
Assessing the sufficiency of safeguards to control risks
Training and managing employees in the security program
Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
Technical and physical safeguards
Assessing risk in network and software design, information processing, transmission, and storage
Detecting, preventing, and responding to attacks or system failures
Regularly testing and monitoring key controls and procedures
Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
Disposing of private information after it is no longer needed for business purposes so that the information can’t be read or reconstructed
"NY’s #shieldact rivals #ccpa. @natlawreview warns businesses should expect “vigorous enforcement.”"
How to Get Compliant With the SHIELD Act
The SHIELD Act requires businesses to put a variety of technical and administrative safeguards in place to protect private information. Thankfully, businesses can learn from current best practices and enlist outside expertise to put these safeguards into place.
Step up Your Access Management System
Everything in the SHIELD Act is designed to control access to information that could compromise New Yorkers’ private accounts. So it follows that examining your business’ Identity and Access Management (IAM) system is your first step in getting compliant. If you’re using a legacy, in-house IAM solution, it may be time to consider an upgrade that provides greater security and gives admins a clearer picture of how sensitive data is being stored.
Implementing multi-factor authentication (MFA) on both your internal and customer-facing systems is the single best way to prevent unauthorized access. A hacker should not be able to access private information using only a username and password they stole from an admin. Instead, anyone trying to access to your most sensitive data should be required to present a more secure form of authentication, such as a token, physical key, or biometric.
Auth0’s platform lets users customize MFA to choose what additional factors to request and when to request them.
A sophisticated IAM platform also makes it easier to see, at a glance, who has access to data via a centralized dashboard. Using this, admins can instantly grant and revoke permissions as needed, reducing the likelihood of inadvertent breaches.
Conduct a Data Audit and Vulnerability Testing
Your organization might already have some skeletons in its closet that have accumulated over the years, like a spreadsheet with the unencrypted names and SSNs of employees. To locate those vulnerabilities, you need to empower your CISO and consider hiring an outside security consultant to assess your situation. Your CISO should also lead the effort to train your employees in security protocols.
The law also requires you to meet with every third-party with whom you share data to make sure their security practices are up to par. If a vendor presents a risk, you need to control their access to private information and require higher security standards in future contracts.
It’s also vital to regularly revisit your data privacy policies to make sure they reflect the most current legal and technological standards. If you’re still using the same forms of encryption or hashing you were five years ago, you’re already in violation of the law.
SHIELD Your Customers, Your Data, and Your Company
CISOs rarely jump for joy at the arrival of a new piece of data privacy legislation, but the SHIELD Act may turn out to be a net positive for business. It is more specific and prescriptive in its requirements than many of the laws that have gone before it, so it leaves less room for confusion and goes farther in creating agreed-upon standards for data best practices.
Given that enforcement of this law is likely to be sweeping and costly, there’s no time to waste in putting these best practices in place. If you’d like to learn how a cutting-edge customer identity and access management (CIAM) platform can be part of your compliance solution, reach out to Auth0.