The NY SHIELD Act is Coming: Time for a Cybersecurity Checkup?

In July 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Because it takes effect in a matter of weeks (March 21, 2020 to be exact), companies should be thinking about how to address its new cybersecurity requirements, which are substantial.

The SHIELD Act puts into place two significant changes that seek to enhance protection for data privacy. First, the law expands New York’s breach notification requirements in several ways, including by making subject to its reach any person or business that owns, uses or licenses computerized data that includes the “private information” of New York residents (as defined in the Act). Reasonably interpreted, this expansive definition reaches every business (with limited exceptions) that holds or uses private information of New York residents – even if the company does not actually conduct business within New York State.

The second major change (and the focus of this article) is the SHIELD Act’s new requirement that entities subject to the law “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” By this language, the Act creates an entirely new regulatory regime for a very large number of businesses – ranging from global corporations to much smaller entities – that hold or use New Yorkers’ private information. Much like the California Consumer Privacy Act, which went into effect January 1, 2020, the impact of this regulation may cross state and national borders, significantly affecting how business is conducted in the U.S. and beyond.

Regulatory Requirements

The regulatory requirements for a covered entity’s cybersecurity program are quite broad, but seemingly sensible. In a nutshell, the law requires:

• Administrative Safeguards: An adequate cybersecurity program must have administrative safeguards, in which the business (1) designates one or more employees to coordinate the cybersecurity program; (2) assesses internal and external data-security-related risks and the sufficiency of safeguards in place to control the identified risks; (3) trains and manages employees in the cybersecurity practices; (4) selects vendors who are capable and obligated under contract to meet cybersecurity standards; and (5) adjusts the cybersecurity program in light of changes or new circumstances.
• Technical Safeguards: A compliant cybersecurity program also must implement technical safeguards, in which the business (1) assesses data-security-related risks of network and software design and information processing, transmission and storage; (2) detects, prevents and responds to attacks or system failures; and (3) tests and monitors the effectiveness of controls, systems and procedures.
• Physical Safeguards: An adequate cybersecurity program also must implement physical safeguards, in which the business: (1) assesses risks of information storage and disposal; (2) detects, prevents and responds to intrusions; (3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Compliance and Enforcement

A significant and challenging part of the law for covered entities is that the SHIELD Act authorizes the New York Attorney General (NYAG) to enforce all of these new provisions. The NYAG has, for many years, acted in the role of enforcer, bringing actions under the prior iteration of the law arising out of specific data breaches where it found inadequate notice to consumers or other misconduct. Under the SHIELD Act amendments, the NYAG continues in this role, able to seek even greater penalties for violations arising from insufficient notice provided to consumers following a data breach.

However, the requirements of the SHIELD Act for an adequate cybersecurity program are not just punitive, but also broadly prescriptive. They create an entirely new set of rules by which thousands of businesses with a New York nexus must live by every day – not just in the instance of a data breach. As part of routine information technology operations, covered businesses must maintain a cybersecurity program consisting of adequate administrative, technical and physical safeguards.[i]

The NYAG is now empowered to enforce compliance with these new standards as well. The SHIELD Act provides that the NYAG may now ask a court to impose penalties of up to $5,000 “per violation” on a company with a substandard cybersecurity program. It is unsettled what constitutes a single “violation” under the law, and in the absence of statutory definition, the law typically favors a broad reading of this term. Nor does the Act require that a data breach occur for there to be a violation of the cybersecurity standards, and the law provides no cap on its statutory penalties.

Unlike the New York Department of Financial Services (NYDFS), the U.S. Securities and Exchange Commission or other prudential supervisors, which conduct periodic examinations of regulated institutions to ensure they are in compliance with applicable laws and regulations, the NYAG is neither authorized nor equipped to conduct such inspections of businesses subject to the SHIELD Act’s cybersecurity requirements. As noted, the NYAG serves principally in the capacity of an enforcement and litigation agency; its attorneys and staff (as a general matter) investigate, prosecute and litigate. They do not examine or recommend to entities how to bring their cybersecurity programs into compliance with the new law, and it would appear the NYAG does not have the resources to do so in any event. So, while the NYAG has significant experience in enforcing matters related to data breaches, up until now it has not had the same breadth of experience, or knowledge of a particular entity, as would a supervisory agency.

Take a Proactive Approach

Thus, the burden of ensuring that a company’s cybersecurity program is compliant with the SHIELD Act falls upon that company. If a covered entity is the victim of a data breach that affects New York residents (and it is frequently said that this is a question of when, not if), it is incumbent upon the company not only to comply with the breach notification provisions of the SHIELD Act, but also to demonstrate to the NYAG that its cybersecurity program is fully compliant with this law. Best practices argue that this type of effort should occur on a periodic basis, using either internal resources or, more commonly, an outside vendor with experience in cybersecurity hygiene.

It could be disastrous for a company to wait until it suffers a data breach to then measure whether its cybersecurity program is compliant with the SHIELD Act. Advocating to the NYAG that a company is in compliance after the event of a data breach – when the company lacks an objective evaluation of its cybersecurity program before the breach – likely will be met with substantially greater skepticism by the NYAG. With the effective date only a short time away, it is reasonable to begin conducting a gap analysis or other review of a company’s cybersecurity program imminently.

[i] Where an entity is in compliance with other mandatory regulations governing data security, such as the New York Department of Financial Services cybersecurity regulation, HIPAA or the Gramm-Leach-Bliley Act, then the law deems the entity to be in compliance with the SHIELD Act as well.