The SHIELD Act, which goes into effect May 22, 2020, will require companies to put “reasonable” protections in place, and appoint an employee to oversee the cybersecurity program. If we were talking to a client, we would tell them to start with the following:

1. Create a cybersecurity policy.
2. Train all staff on the cybersecurity policy. Build a company culture that promotes security-conscious behavior.
3. Adopt a password manager, such as LastPass, and use it to create new passwords for EVERY account. (This is probably the most important step companies are missing today.)
4. Install a security appliance to replace your aging firewall. Old firewalls not only lack modern security features, they are also full of vulnerabilities—ripe for hacking.
5. Encrypt all servers, desktops, and laptops.
6. Install security patches every month.
7. Train, train, train! Never stop training your staff about cybersecurity. Drill it into everyone’s head that cybersecurity starts with them. “Only you can stop security breaches” – cheesy, but true!

Below please find some highlights from the NYS SHIELD Act.  Most of the text has been copied word-for-word from the text of the Assembly bill A5635B, but some text has been modified slightly to make it more concise and reader friendly.
 

Reasonable Security Requirement

“Any person or business that owns or licenses computerized data which includes private information of a resident of New York state shall develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.
 
Companies must implement a data security program, which includes reasonable administrative, technical, and physical safeguards. These safeguards must include the items below.

Reasonable administrative safeguards

1. Designate an employee(s) to coordinate the security program
2. Identify internal and external risks
3. Assess safeguards put in place to control identified risks
4. Train employees in the security program, practices, and procedures
5. Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract

Reasonable technical safeguards

1. Assess risks in network and software design
2. Assess risks in information processing, transmission, and storage
3. Detect, prevent, and respond to attacks or system failures
4. Regularly test and monitor the effectiveness of controls, systems, and procedures

Reasonable physical safeguards

1. Assess risks of information storage and disposal
2. Detect, prevent, and respond to intrusions
3. Protect against unauthorized access/use of private information during or after the collection, transportation, and destruction of the information.
4. Dispose of private information after it is no longer needed for business purposes by erasing it such that the information cannot be read or reconstructed

Notification of Data Breach

Any person or business which conducts business in New York state must notify any resident of New York state whose private information was accessed, or is reasonably believed to have been accessed, without authorization. You must also notify the state attorney general, department of state and the state police. Lastly, companies must develop a notification policy consistent with this law.

The law lays out in detail how notice is to be given. There is a provision (which I won’t go into detail here) for not notifying residents if the data is inadvertently disclosed and believed to cause no harm.

DEFINITIONS

"Personal Information"

shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person;

"Private Information"

shall mean EITHER:
(I) personal information consisting of any information in combination with any one or more of the following data elements, when either the DATA ELEMENT OR THE COMBINATION
OF personal information [or] PLUS the data element is not encrypted, or IS encrypted with an encryption key that has also been ACCESSED OR acquired:

1. social security number;
2. driver's license number or non-driver identification card number; [or]
3. account number, credit or debit card number, in combination with any required security code, access code, [or] password OR OTHER INFORMATION that would permit access to an individual's financial account;
4. ACCOUNT NUMBER, CREDIT OR DEBIT CARD NUMBER, IF CIRCUMSTANCES EXIST WHEREIN SUCH NUMBER COULD BE USED TO ACCESS AN INDIVIDUAL'S FINANCIAL ACCOUNT WITHOUT ADDITIONAL IDENTIFYING INFORMATION, SECURITY CODE, ACCESS CODE, OR PASSWORD; OR
5. BIOMETRIC INFORMATION, MEANING DATA GENERATED BY ELECTRONIC MEASUREMENTS OF AN INDIVIDUAL'S UNIQUE PHYSICAL CHARACTERISTICS, SUCH AS A FINGERPRINT, VOICE PRINT, RETINA OR IRIS IMAGE, OR OTHER UNIQUE PHYSICAL REPRESENTATION OR DIGITAL REPRESENTATION OF BIOMETRIC DATA WHICH ARE USED TO AUTHENTICATE OR ASCERTAIN THE INDIVIDUAL'S IDENTITY; OR

(II) A USER NAME OR E-MAIL ADDRESS IN COMBINATION WITH A PASSWORD OR SECURITY QUESTION AND ANSWER THAT WOULD PERMIT ACCESS TO AN ONLINE ACCOUNT.
"Private information" does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.

"Breach of the Security System"
shall mean unauthorized ACCESS TO OR acquisition OF, or ACCESS TO OR acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] PRIVATE information maintained by a business. Good faith ACCESS TO, OR acquisition of [personal], PRIVATE information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.