New York's New Data Security Requirements
In the fall of last year, we wrote about the passage of the SHIELD Act (the Act) in New York, which expanded aspects of the state's breach notification requirements (Breach Requirements) and created a statutory obligation to maintain reasonable data security (Security Requirements). While the Breach Requirements went into effect on October 23, 2019, the new Security Requirements will kick in on March 21, 2020. As mentioned in our previous post, the SHIELD Act will require any business or person that owns or licenses computerized, “private information” (as broadly defined in the Act) of a New York resident to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the information. In this post, we'll focus on what the Act says about how a business can achieve compliance with the Security Requirements.
It's important to note that the Act does not prescribe specific safeguards or security measures that a business must implement in order to comply with the Security Requirements. Instead, the Act sets a baseline of "reasonable safeguards" for all businesses and then identifies three situations in which businesses will be deemed in compliance with the Security Requirements.
- Compliant Regulated Entity. A business will be deemed in compliance with the Security Requirements if it is a "compliant regulated entity" under the Act, which means the business is in compliance with data security requirements under any applicable federal or New York state laws, rules or regulations, such as the federal Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and the NY DFS Cybersecurity Requirements for Financial Services Companies.
- Data Security Program with Administrative, Technical and Physical Safeguards. A business will be deemed in compliance with the Security Requirements if it implements a data security program that includes administrative, technical and physical safeguards such as:Administrative Safeguards
- Designating an employee to coordinate the security program;
- Identifying reasonably foreseeable risks;
- Assessing the sufficiency of current safeguards;
- Training and managing employees;
- Selecting service providers capable of appropriate safeguards and requiring those safeguards by contract;
- Adjusting the security program as the business or circumstances change;
Technical Safeguards
- Assessing network and software design risks;
- Assessing information processing, transmission and storage risks;
- Detecting, preventing and responding to attacks or system failures;
- Regularly testing and monitoring effectiveness of key controls, systems and procedures;
Physical Safeguards
- Assessing information storage and disposal risks;
- Detecting, preventing and responding to intrusions;
- Protecting against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal; and
- Disposing (by erasing) of private information after it's no longer needed.
- Flexible Security Program for Small Business. A "small business" under the Act will be deemed in compliance with the Security Requirements if it maintains a data security program that contains reasonable administrative, technical and physical safeguards appropriate for its size and complexity, the nature and scope of its activities and the sensitivity of personal information collected. The small business security program provision does not include specific safeguards like those found in the general data security program "deemed compliance" option described in #2 above. Instead, the Act appears to allow for more flexibility for small businesses to determine what safeguards are reasonable as they develop and maintain their respective security programs. By the way, a "small business" is defined in the Act as a person or business with (i) fewer than fifty employees, (ii) less than $3MM in gross annual revenue in each of the last three fiscal years, or (iii) less than $5MM in year-end total assets (calculated in accordance with GAAP).
What constitutes "reasonable safeguards" under the Act can certainly vary from business to business; however, the Act provides a helpful roadmap for legal compliance. Also, in addition to security measures for legal compliance, businesses should consider whether there are other security measures that can be implemented to improve their overall cybersecurity posture.
Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team. If you have any questions about this post or any other information security issues, please reach out to Bobby or a member of the Cybersecurity and Technology Team.