SHIELD Act In Effect: Tips for Navigating Mandatory Cybersecurity Requirements

Cybersecurity is top of mind for most organizations. However – did you know that it is now the law? New York recently enacted the Stop Hacks and Improve Electronic Security Act (the “SHIELD Act”). The SHIELD Act requires that organizations that own or license data that includes New York residents’ “private information” take reasonable steps to protect such information – even if the business is not located in New York.

Among the information the SHIELD Act defines as “private” includes (but is not limited to): social security numbers; driver’s license number or non-driver identification card number; biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics; and passwords/access codes associated with financial accounts.

Under the SHIELD Act, businesses that become aware of a breach of private information are required to provide notification to those impacted. With that being said, companies may be able to skip those impacted if they can show that the disclosure of private information will not likely cause “financial harm.” In such cases, the company must still report to the New York attorney general, New York State Department of State Division of Consumer Protection, and the New York State Division of the State Police. Only the NY attorney general can file suit for violations (i.e.: individuals or other businesses cannot sue).

If a violation is found, the liable business may be required to pay anywhere from $20 to $250,000 per offence. Given the potential liability, I recommend that companies transacting with New York resident’s data keep the following tips in:

• Review all cybersecurity policies to ensure it includes mechanisms for protecting private information.
• Train company employees on how to deal with potential breaches in order to adhere to the SHIELD Act’s reporting requirements.
• Make sure that your cybersecurity software has been reevaluated recently in order to provide your team with up to date tools.