What are reasonable data security procedures under the NY SHIELD Act?

This March, companies who are in the business of collecting data from New York residents will be responsible for ensuring that data is protected by reasonable security procedures. 

Last July, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (“the SHIELD Act” or “the Act”). The SHIELD act made three major changes to New York’s data breach notification law, affecting any and all companies that collect New Yorker’s personal information. My previous post discussed which companies were subject to the statutory requirements as well as the first two main changes that went into effect last month. This post will examine the third change—requiring businesses to adopt reasonable data security procedures. 

The SHIELD act requires that “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information[.]” (emphasis added). But, what does reasonable mean?

According to the Act, a business is deemed in compliance with the reasonable requirement if they employ three specific safeguards: administrative, technical, and physical.
 

Administrative Safeguards

Administrative safeguards are focused on the adequate administration of the later discussed technical and physical safeguards. This should be viewed as a cyclic data security process (pdf):  

  1. A business must designate “one or more employees to coordinate the security program.”
  2. That coordinator must conduct a risk assessment, mapping the flow of information and identifying areas in that flow prone to a lapse in data security.
  3. Once that assessment is complete, the coordinators—along with the business’s administrators—should create a policy of safeguards to protect the vulnerabilities identified in the previous risk assessment. To be in compliance with the Act, this policy must include contracting with a service provider “capable of maintain [those] appropriate safeguard.”   
  4. That policy is then implemented, and employees are trained on their role in the data security process.
  5. Finally, the business—most likely through the service providers from step three—should audit the process’s success against the changing landscape of the business’s market, and begin the cycle all over again. 

This process, while seemingly tedious, allows businesses to effectively monitor their data security practices and proactively make adjustments to ensure the process is effective.

 

Technical Safeguards

Technical safeguards are focused on the technology a business uses to provide its services or content to its customers (i.e. their data processing and storing programs). The Act requires businesses to assess their technological systems to detect, prevent and respond to “attacks or system failures.” This safeguard is designed to ensure customers’ personal information, stored electronically, is not easily accessed by an unauthorized user.   

These safeguards essentially apply to all manners in which the business stores and maintains N.Y. residents’ personal information. A service provider that is used to administer the safeguards is likely to provide these technical requirements, only increasing businesses’ overall compliance costs.
  

Physical Safeguards

Physical safeguards deal with the physical storage and disposal of customer records. Like the other safeguards, these call for continued monitoring to prevent, detect and respond to unauthorized intrusions. There is also the new requirement that businesses dispose of information in a reasonable amount of time after it is no longer needed for business purposes.
 

What does all that mean for my business? 

The SHIELD Act allows for some flexibility within a business’s specific data security program, as well as some guidance into compliant measures. A company subject to the Act’s requirements must employ these reasonable measures, or risk facing civil penalties and/or injunction under the state’s Unfair and Deceptive Trade Practices statute

For larger companies in the business of collecting consumer data, many of these safeguards are likely already in place; however, the specific program requirements will likely need to be updated to comply with the SHIELD Act. 

For smaller companies and start-ups, these safeguards may seem daunting but provide a flexible standard by which to operate. That is because smaller businesses, which the Act defines based on the number of employees, gross revenue, or year-end total assets, are permitted to employ these safeguards in a manner consistent with the nature and scope of their business.

While increasing consumer protections for New York residents, the act will also increase a company’s cost of doing business with those same residents. This has many organizations calling for the Federal Government to step in and preempt such laws, but only time will tell if Congress will take such action.