Created on 2019-10-21 23:05
Published on 2019-10-21 23:14
If you are a person or business processing the private information of a New Yorker and located ANYWHERE, you must comply with New York’s new Stop Hacks and Improve Electronic Data Security (SHIELD) Act. I put this article together as a brief introduction and guide to the Act for those of you processing, owning or licensing computerized private information of New Yorkers and not sure what to do to achieve compliance.
What is the NY SHIELD Act?
This new law (signed on Thursday, July 25, 2019 by Governor Andrew Cuomo) primarily does two things: 1) updates definitions within the current NY data breach notification statute; and 2) creates a new statute requiring data security controls to protect the “private information” of New York residents, regardless whether they are your customers or employees. Digging in further, the law updates the definitions to existing data breach notification statute (General Business Law §899-aa) through three key expansions: 1) the definition of “private information”; 2) the definition of “breach of the security of the system”; and, 3) the geography—as I said above—to any and all persons or businesses dealing with NY citizen’s private information, no matter where they are and regardless if that private information belongs to customers or employees.
Overall, I think the improvements are logical, valuable and may even help to reduce the number of breaches due to the expanded scope and enhanced protections; however, like any other security policy or law, the overall effectiveness is only as good as the people (internal and 3rd party), processes and technologies in place to implement and maintain security. And, of course like most new law and regulation, the greatest impact will be had by the small to midsized organizations due to increased expense necessary to comply.
What is the new definition of “private information” and what does it include?
“Private information” previously included the name, Social Security number, driver’s license number, credit/debit card number and financial account number with required security code. NY has expanded the definition to include biometric information; e-mail addresses and corresponding passwords OR security [challenge] questions/answers; and financial account number WITHOUT a required security code [if an unauthorized person, nonetheless, could access the account]. Of course, NY does recognize that "private information" excludes publicly available information which is lawfully made available to the general public from federal, state, or local government records.
What is biometric information?
Biometric information includes any features or aspects related to human biology. This can generally mean any personal traits such as height, weight and eye color; however, more valuable attributes are those which are more unique, such as fingerprints; geometry of veins in the eyes, shape of the retina, hands, ears or face; voice; heartbeat; and even body odors. New York specifically defines biometric information as, “data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity”. In essence, they are allowing the subject to define biometric information by stating that it is any unique physical/digital representation used to authenticate identities. So, if you develop some new biometric identifier, it will be included.
Why is biometric information valuable?
Any piece of information used to authenticate identities to systems, like a username and password, should be considered valuable because it allows access to the service the system provides. The true value of this information for the particular system obviously depends on what permissions are granted; i.e., what the person can do with that access. However, biometric information is in general extremely valuable because these traits generally remain the same. Combining this with the expanded use of such information by more and more organizations to provide access (i.e., credentials), the value only increases. For example, with my password and facial biometrics, using my smartphone I can access an enormous amount of personal information, purchase goods, obtain credit and transfer money into and out of several accounts. Considering my biometrics are generally unchangeable (unlike a password), anyone with access to this and the technological know-how, can use my biometric credentials to impersonate me wherever and whenever the technology is used.
What is the new definition of “breach of the security of the system”?
“Breach of the security of the system” is defined as, “unauthorized ACCESS TO OR acquisition OF, or ACCESS TO OR acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] PRIVATE information maintained by a business.” Good faith ACCESS TO, OR acquisition of [personal], PRIVATE information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.” Note that notification is not required if the person or business “reasonably determines that such exposure will not likely result in misuse of such information or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials”.
Although I think this speaks for itself, in simpler terms, access to or acquisition of personal private information by parties other than the individual or the employer (or authorized/contracted 3rd parties) would be considered a breach of the security of the system except for the exclusions mentioned. Of course, it may be challenging for the person/business to determine whether or not the affected persons could be emotionally harmed, so this is a factor which might need to work its way into risk assessments and scenario analysis for capital planning and data protection / security control purposes.
I think the term “system” could be used generally and not necessarily in direct reference to a “computer system” (e.g., in the case of a lost USB memory device containing such personal private information), but this is just my opinion.
In order to determine if a breach has occurred, you must have some knowledge and indicators of the breach [and obviously some system or process to provide this intelligence], and the Act also digs further into this. Hopefully your system or process provides advanced warning indicators of a breach so that you are not waiting for it to be detected by a 3rd party or customer.
Where and to whom does this law apply?
The law states, “Any person or business which [conducts business in New York state, and which] owns or licenses computerized data which includes private information” must comply with the reporting requirements, and “shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, ACCESSED OR acquired by a person without valid authorization”. Translating further, this means any business that has a physical presence in the state of NY or repeatedly engages in business transactions in the state of NY, [which also meets the other criteria specified], must comply with the disclosure requirements. The law states that compliant regulated entities (e.g., compliant financial services institutions, compliant healthcare services providers, etc.), are in compliance with the data security requirements of this law.
What are the new data security requirements imposed?
Besides protection measures typically seen in other state law or federal regulations, (e.g., must implement a data security program, must designate someone to coordinate the program, must identify internal/external risks, etc.), the most notable observed requirements in my opinion include, 1) a provision to select service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract; 2) reasonable technical safeguards including the assessment of risks in software design; 3) protection against unauthorized access to or use of private information during or after the destruction or disposal of the information; and, 4) disposal of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. I thought these were most notable as many small and even some moderately-sized businesses will likely have a difficult time implementing them due to limited resources overall.
When does this law go into effect?
The breach notification amendments take effect on October 23, 2019 (this Wednesday), while the data security requirements take effect on March 21, 2020.
In summary, I believe the NY SHIELD Act does a good job expanding the law to address future challenges related to the theft of biometrics; however, like most cybersecurity law/regulations, it will ultimately incur additional expense on small and midsized businesses due to the data protection enhancements necessary.
What is your opinion? Will the new Act be helpful or not? How will it impact you and your organization? What challenges do you foresee?
Note, I am neither a lawyer nor do I play one on TV. Use the above information at your own risk and always seek professional legal services and advice to ensure full compliance with any new or existing law.
Where can I go to learn more?
The entire content of the new Act can be found here: https://www.nysenate.gov/legislation/bills/2019/s5575
Several articles have also been written about the Act to include the following:
https://www.natlawreview.com/article/new-york-enacts-shield-act
https://www.jonesday.com/en/insights/2019/08/new-york-passes-shield-act