Lost in the confusion amid COVID-19 and the subsequent shockwaves it sent throughout the world is that a new data security law recently went into effect in New York State.

The law, an amendment to the state's data breach notification law, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, requires any organization that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to disposal of data.”

While the SHIELD Act was first passed last July, security requirements outlined by the act didn’t into effect until March 21 last month.

Those requirements mandate that an entity implement a data security program that meets a trio of safeguards, including administrative, technical, and physical requirements:

On an administrative-level, organizations need to:
designates an employee to coordinate the security;

identifies reasonably foreseeable internal and external risks;

assesses the sufficiency of safeguards in place to control the identified risks;
trains and manages employees in the security program practices and procedures;
selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
adjusts the security program in light of business changes or new circumstances.

Technically, organizations need a data security program that:

• assesses risks in network and software design;
•  assesses risks in information processing, transmission, and storage;
•  detects, prevents, and responds to attacks or system failures; and
•  regularly tests and monitors the effectiveness of key controls, systems, and procedures.

Physically, organizations need a data security program that:

•  assesses risks of information storage and disposal;
•  detects, prevents, and responds to intrusions;
•  protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
•  disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

The SHIELD Act previously improved data breach notification requirements in the state on October 23, 90 days after it was passed. Those requirements, since tweaked, now include data points like:

•  Social security number
•  Driver’s license number or non-driver identification card number
•  Account number, credit, or debit card number in combination with other identifiable data
•  Biometric information like fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation
•  User name or email address in combination with a password or security question

Changes to the breach rules also expanded on the definition of a breach to include the mere accessing data, in addition to simply acquiring it.

“Breach of the security of the system shall mean unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] private information maintained by a business,” the law reads.

Some businesses, like those in the healthcare and financial sphere, may not have to worry about complying with the SHIELD Act if they already comply with other laws on the books, like HIPAA or the GLBA. Entities covered by HIPAA still need to ensure they comply with the SHIELD Act for non-ePHI however. For instance, if a hospital or healthcare facility experiences a breach of non HIPAA-regulated data, those entities will still need to follow through a reporting protocol.

Smaller businesses – businesses with less than 50 employees or under $3 million dollars in revenue - may not have to conform to the SHIELD Act either. The law requests that smaller businesses apply "reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.”

If an organization is found to have recklessly violated the SHIELD Act, a court could impose penalties of $5,000. Not complying with the SHIELD Act's breach notification requirement could result in a fine of $20 per instance of failed notification, as long as the total doesn't exceed $250,000. Reasonable safeguard requirement violations could fetch up to $5,000 per violation.