New York SHIELD Act: What You Need To Know

Today, we look at the New York SHIELD Act and how it will affect archiving in your organization.

Following suit of California, Virginia, Nevada and the EU, the state of New York has made substantial changes to its data breach notification law by signing into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act.

This Act aims to provide better safeguard of its residents’ personal information, by requiring businesses and persons who handle New Yorkers’ personal information to enact more stringent security measures and processes.

Considered to be more draconic than the CCPA, the Shield Act will allow citizens to directly sue companies for policy violations, and will give them the right to decide which information companies can store about them.

In short, these are the biggest changes that the Shield Act brings:

• biometric information (fingerprint, voice print, retina, iris image, etc.)
• account number, and credit/debit card number (these data qualify as personal information even if you don’t have a security/access code or password in cases where these accounts/cards can be used without these security measures)
• username/email address in combination with a password/security questions and answers.
• social security number
• driver’s number license or non-driver ID card

Shield Act and Data Archiving

While the Shield Act will undoubtedly give more rights to individuals over how their information is acquired, stored, and managed, it will also pose significant challenges to companies operating both in the State of New York and beyond.

Part of the challenge refers to data archiving and technical/software requirements, in particular, how data is stored and disposed of in compliance with data retention laws.

To be compliant under the Shield Act, among other requirements, a company needs to implement a data program that has reasonable physical safeguards such as the following:

• assesses risks of information storage and disposal;
• detects, prevents and responds to intrusions;
• protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
• disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b).

For a full list of requirements, refer to the Shield Act text.

To define the concrete steps you must take to ensure compliance with the Shield Act, have a look at the following table.

• under the federal regulations promulgated pursuant to 15 U.S.C. 6801–6809 (Title V of the Gramm-Leach-Bliley Act );
• under the federal regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH);
• under 23 NYCRR Part 500 (“Cybersecurity Requirements for Financial Services Companies”) promulgated by the Department of Financial Services; and
• under any other data security laws and regulations of the federal and New York State governments;

We’ve broken down the requirements into a list of questions you need to assess your current archiving system against, and thus specify the compliance measures you should take.

The NY Act takes effect on 21 March 2020, so there is little over a month to get your data management in order.

*Please note that the info below is for informative purposes only, and that you should consult your legal team for advice.

Requirement 1: Assess risks of information storage and disposal

What you need to assess:

• How secure is your information storing software?
• Is it cloud-based or on-premise?
• Does it come with strong security protocols?
• Who has access to your archive?
• How often is your archive updated?
• Do you have the means to dispose of the information stored?

Requirement 2 – Protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information

What you need to assess:

• Can you set custom access policies and privileges?
• Can you designate responsible persons to collect/transport/dispose of information through your software?
• Who is in charge of these measures?

Requirement 3: Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b)

What you need to assess:

• Can you set retention periods after which all information is disposed of automatically?
• Can your software support custom retention periods and policies?
• Can you set custom tags for your data so that all information is preserved in line with requirements?

There are more requirements to account for in order to ensure full compliance with the NY Shield Act. In particular, there is a set of questions concerning adherence to similar data protection laws that requires entities to act in accordance with the following:

• under the federal regulations promulgated pursuant to 15 U.S.C. 6801–6809 (Title V of the Gramm-Leach-Bliley Act);
• under the federal regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH);
• under 23 NYCRR Part 500 (“Cybersecurity Requirements for Financial Services Companies”) promulgated by the Department of Financial Services; and
• under any other data security laws and regulations of the federal and New York State governments;

This set of requirements refers to a broad range of conditions that business/institutions need to meet in order to comply with the provisions of the Shield Act.

To help you get started, we’ve created a compliance checklist for education, as well as a compliance checklist for government agencies, where you can check your compliance with similar laws, and hence with the Shield Act.

Originally published at https://jatheon.com on February 3, 2020.