Today, we look at the New York SHIELD Act and how it will affect archiving in your organization.
Following suit of California, Virginia, Nevada and the EU, the state of New York has made substantial changes to its data breach notification law by signing into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
This Act aims to provide better safeguard of its residents’ personal information, by requiring businesses and persons who handle New Yorkers’ personal information to enact more stringent security measures and processes.
Considered to be more draconic than the CCPA, the Shield Act will allow citizens to directly sue companies for policy violations, and will give them the right to decide which information companies can store about them.
NY SHIELD Act Summary
In short, these are the biggest changes that the Shield Act brings:
- The scope of “private information” gets broadened. Under the Shield Act, personal information will also include:
- biometric information (fingerprint, voice print, retina, iris image, etc.)
- account number, and credit/debit card number (these data qualify as personal information even if you don’t have a security/access code or password in cases where these accounts/cards can be used without these security measures)
- username/email address in combination with a password/security questions and answers.
- social security number
- driver’s number license or non-driver ID card
- The scope of “breach” gets expanded. While previously “breach” was considered to be the unauthorized acquisition of computerized data, it will now also include unauthorized access, such that it can endanger the integrity, confidentiality, security of private information.
- The Act also applies to businesses outside New York. Before the Act was passed, the privacy requirements applied to companies operating within the State of New York. Now however, regardless where you run your business from, you will need to pay extra attention to what information you collect about a New York resident and how you handle them. This makes it more difficult for companies to break into the NY market and requires additional efforts on maintaining the records properly.
- Companies need to implement data security measures. Under the Shield Act, companies will need to implement measures to protect the integrity, security, confidentiality of personal information. This means that companies need to set in place specific measures with regards to employee training, vendor contracts and timely data disposal.
Shield Act and Data Archiving
While the Shield Act will undoubtedly give more rights to individuals over how their information is acquired, stored, and managed, it will also pose significant challenges to companies operating both in the State of New York and beyond.
Part of the challenge refers to data archiving and technical/software requirements, in particular, how data is stored and disposed of in compliance with data retention laws.
To be compliant under the Shield Act, among other requirements, a company needs to:
(iv) implement a data program that has reasonable physical safeguards such as the following:
– assesses risks of information storage and disposal;
– detects, prevents and responds to intrusions;
– protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
– disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b).
For a full list of requirements, refer to the Shield Act text.
How This Affects You
To define the concrete steps you must take to ensure compliance with the Shield Act, have a look at the following table.
We’ve broken down the requirements into a list of questions you need to assess your current archiving system against, and thus specify the compliance measures you should take.
*Please note that this table is for informative purposes only, and that you should consult your legal team for advice.
|Requirement||What you need to assess|
|“Assesses risks of information storage and disposal”|
|“Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information”|
|“Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b).”|
There are more requirements to account for in order to ensure full compliance with the NY Shield Act. In particular, there is a set of questions concerning adherence to similar data protection laws that requires entities to act in accordance with the following:
- under the federal regulations promulgated pursuant to 15 U.S.C. 6801-6809 (Title V of the Gramm-Leach-Bliley Act);
- under the federal regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH);
- under 23 NYCRR Part 500 (“Cybersecurity Requirements for Financial Services Companies”) promulgated by the Department of Financial Services; and
- under any other data security laws and regulations of the federal and New York State governments;
This set of requirements refers to a broad range of conditions that business/institutions need to meet in order to comply with the provisions of the Shield Act.
The NY Act takes effect on 21 March 2020, so there is little over a month to get your data management in order.
To help you get started, we’ve been working on creating a compliance checklist for education (already out!) and government agencies (coming out soon), where you can check your compliance with similar laws, and hence with the Shield Act.