NY Shield Act — Yet Another Responsibility for IT

If you’re in charge of IT, no matter your type of business, we’re pretty certain your plate is already piled with responsibilities. And if your company is in New York, does business with New York State residents, or holds their private information, your plate load grew even higher in 2020 when the Governor signed NY Senate Bill S57889 into law. You may not know it by its number, but rather as the Stop Hacks and Improve Data Security Act — the SHIELD Act for short.

Believe us. You’re not alone in your desperation. Other IT executives or managers who have customers in the State of New York feel your pain. And how do we know that? Because we provide first-class IT support for them. That’s right, our two brick and mortar National Network offices may be situated in Southwest Texas and Southeast Louisiana, but our expert teams of certified IT professionals provide IT support and business computer services all over the continental U.S., And that includes complying with the requirements of privacy legislation like the NY SHIELD Act.

Think You Know All About Breach Notification in NY? Are You Sure?

The Shield Act was written to provide even more stringent data security than New York’s existing breach notification laws provided. It goes even further by updating previous requirements for breach notification and expanding the type of data involved. It also gives the Attorney General the right to levy statutory damages on companies whose lax oversight results in releasing any private information. And please note, it makes no difference whether it’s a result of ignorance of the law or willful and reckless disregard. Your company will face substantial financial penalties either way. So if you are in any way involved in protecting New Yorkers’ privacy rights, it’s in your best interest to educate yourself on all the T’s to be crossed, and I’s to be dotted under the SHIELD Act. And so if you will read on, we will try to present the finer points of the law so you can make sure you’re aware of all the changes is your responsibility.

Answers to the Questions You May Be Asking

The biggest difference between the SHIELD Act’s breach notification obligations and those of the previous rule is that now they apply to your business if it licenses or owns any computerized data that discloses a New York resident’s private information. The previous law was limited to companies or individuals doing business in NY State.

There are two other differences that you should take note of.

One uses the words private information in place of the old term, personal information, since it expands the data’s scope. Private information, as defined by the NY State SHIELD Act, now includes any of the following unencrypted identifiers, or encrypted, if the encryption key has been accessed or acquired:

  • social security number
  • account number, user name, or email address required to access an online account, passwords, and any linked security questions and answers
  • credit card or debit card numbers linked to online accounts
  • biometric information such as a fingerprint, retina, or iris image or voiceprint that can access the account
  • driver’s license number or non-driver ID card numbers

The other noteworthy change that triggers an increase in numbers of people or companies that you are obligated to notify is the inclusion of incidents that involve access to private information by an unauthorized person, with indications that the data had been viewed, altered, used, or communicated without the said person having gone through the proper channels of permission. Under the old rules, the notification trigger would have been if an unauthorized party had actually acquired the data.

Financial Penalties for Non-Compliance Under the SHIELD Act

You should also familiarize yourself with the costs faced by your company should it fail to notify, promptly, any party potentially harmed by a data breach. How much depends on whether the breach resulted from reckless disregard or if it occurred despite safeguards being in place and followed. In addition to compensating any injured parties for financial losses, you will have to pay fines levied by the Attorney General. In cases of wanton disregard, you can expect to pay a minimum of $5,000 and up to $250,000 depending on the number of violations. For breaches that occur despite precautions being taken, your penalty should not exceed $5,000.

Are You Overwhelmed Yet?

We’ve just begun to explain what your company faces now that the NY SHIELD Act is the law. But if you are already exhausted by contemplating your expanded responsibilities and the work involved, there is another way. You might want to consider enlisting a managed services provider who can take care of your IT security needs and, if you’d like, manage your protocols regarding data breach notification and provide expert identification and notification training to their IT teams. Many in your situation entrust our company, National Networks, with these responsibilities. For information on what we do for them, we invite you to take a look at our nst.com website or call us with any questions you may have.