The amendment done by the State of New York on its data breach notification laws took effect on the 21st of March 2020. The amended portion of the data breach notification law focused solely on improving the privacy and security requirements for Personally Identifiable Information (PII) of citizens and entities within the State.

Due to the dynamic nature of the cybersecurity threat landscape, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was put in place to replace the New York Department of Financial Services (NYDFS) cybersecurity regulations. This replacement caused the significant expansion of the scope of New York’s data security law to account for small and midsize businesses and not only limited to the larger entities in the financial services industry.

How does the improved data security requirement in the New York SHIELD Act affect small and midsize businesses regarding their computing environment and budget? In this article, we shall look at the differences between the two cybersecurity regulations, the challenges and opportunities they have for businesses in New York, and the penalties of non-compliance with the amended cybersecurity regulations.

DIFFERENCES BETWEEN THE SHIELD ACT AND THE NYDFS CYBERSECURITY REGULATIONS

The NYDFS cybersecurity regulation required banks, financial services institutions, and insurance companies to create cybersecurity and data privacy compliance programs that protect their own IT systems and customer’s confidential information from attacks by cybercriminals. However, a compliance program is meant to provide defensive infrastructure, have viable cybersecurity policies and procedures, schedule regular security risk assessments, and create an effective incident response plan.

The New York SHIELD Act is significantly beyond financial institutions imposing additional data security obligations on businesses to protect the private information of New York residents. It demands small and midsize businesses to put in place a viable “Data Security and Risk Assessments Program” to monitor and improve cybersecurity, to implement and maintain reasonable safeguards, and to protect and ensure the confidentiality and integrity of private data.

According to Section 899-BB of the New York State Data Security Protection Law, small businesses with less than 50 employees should tailor their security programs to fit their size, the nature and scope of their activities, and the sensitivity of the personal information collected and stored. Compliance with NYDFS and other New York State data security regulations is the same as compliance with the reasonable safeguards requirements section of the SHIELD Act that includes administrative safeguards, technical safeguards, and physical safeguards.

UNCOVERING THE CHALLENGES BETWEEN BOTH REGULATIONS

Breaching the security of systems means getting unauthorized access to computerized data that compromises the security, confidentiality, or integrity of private information.

The security breach notification obligation to New York residents is not required if certain unauthorized activity like downloading, copying, or obtaining physical control of protected data takes place. A business may be held responsible for a breach to a third-party vendor or subsidiary that doesn’t maintain the same high cybersecurity standard.

One other challenge that the SHIELD Act cybersecurity regulation faces is its enforcement.  Although the SHIELD Act does not explicitly provide the New York Attorney General the enforcement authority over unfair and deceptive business practices under the state’s consumer protection law. There is a need to keep in mind that the expanded legal requirements of the New York SHIELD Act as businesses outside New York may find the heightened obligation in responsive safeguards to be beyond the security requirements of their state.

UNCOVERING THE OPPORTUNITIES BETWEEN BOTH REGULATIONS

The New York SHIELD Act cybersecurity regulations offer businesses the opportunity to develop, implement, and maintain a robust data security and risk assessments program that will guarantee administrative, technical, and physical safeguards needed to protect the security, confidentiality, and integrity of the private data of New York residents.

Businesses can comply with the New York SHIELD Act by taking strategic measures like the good practice of performing risk assessments on data and associated security measures from time to time. Having a qualified cybersecurity officer to train and manage employees in the security program practices and procedures, and placing an in-house person in charge of a security program to carry out vulnerability testing and privacy impact assessments helps to ensure the effectiveness of security measures.

CONCLUSION

The New York SHIELD Act has significantly expanded the NYDFS cybersecurity regulations to impose additional data security obligations on businesses that handle, store, or use the personal information of New York residents. Businesses are now required to implement specific data security measures and improve their assessment standards and tools. Breaches to subsidiaries and vendors occur frequently, hence, the ability of vendors and third parties to meet all relevant regulatory compliance requirements with the NY SHIELD Act will play a key role.

Businesses should implement sophisticated data security programs that will help in the assessment of their risk exposure and design programs that effectively address the security risks they face. They should also consider running cyber risk assessments and vulnerability testing, organizing mandatory cybersecurity awareness training for all employees, and requesting subsidiaries and third-party vendors to adhere strictly to their IT security standards to ensure they all comply with the New York SHIELD Act.