Infinity War: Exploring the State Data Security Law Multiverse and Its Newest Member (the NY SHIELD Act)

The oft-derided U.S. hodgepodge of privacy and data security law is about to add another hodge. Or is it a podge? Not important, moving on… On March 21, 2020, the data security requirements of New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act will be effective and will require some businesses to adopt specified administrative, physical, and technical safeguards to protect New York residents’ private information. It is time to assemble your beleaguered privacy lawyers and their data security counterparts to ensure you can demonstrate compliance with the latest in an infinitely evolving series of data security laws.

As with most U.S. state privacy laws, determining whether and to what extent your organization must comply is half the galactic battle. Under SHIELD, a variety of entities can sit out the mission, namely HIPAA covered entities and business associates, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and organizations subject to existing New York law, such as DFS cyber regulations. These “compliant regulated entities” are deemed to comply with SHIELD, provided they comply with those other data security laws.

Small businesses also catch a break, if they have (i) fewer than fifty employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets.  Businesses that meet any of those criteria are excused from complying with SHIELD’s specific obligations, and instead need only implement “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

If you weren’t lucky enough to survive the snap, here’s what else you need to do to comply:

  • Reasonable administrative safeguards such as the following:
    • designate one or more employees to coordinate the security program
    • identify reasonably foreseeable internal and external risks
    • assesses the sufficiency of safeguards in place to control the identified risks
    • train and manage employees in security program practices and procedures
    • select service providers capable of maintaining appropriate safeguards
    • require service providers to implement those safeguards by contract
    • adjust the security program considering business changes or new circumstances
  • Reasonable technical safeguards such as the following:
    • assess risks in network and software design
    • assess risks in information processing, transmission and storage
    • detect, prevent and respond to attacks or system failures
    • regularly test and monitor the effectiveness of key controls, systems and procedures
  • Reasonable physical safeguards such as the following:
    • assess risks of information storage and disposal
    • detect, prevent and respond to intrusions
    • protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information
    • dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

New York is one of a growing number of states to affirmatively mandate security measures for covered personal information. Some of those states, like New York, mandate specific measures, with an emphasis on documentation (see, e.g., Massachusetts, Oregon, Nevada).  Others (see, e.g., California and Florida)  impose a more flexible standard, such as a requirement to “implement and maintain reasonable security measures to protect information from unauthorized access.”  Under either approach, businesses have an affirmative duty to secure personal information, with corresponding exposure to regulatory enforcement and/or private claims if they fail to satisfy that duty.   

In an important variation, some states are moving to (or considering) a “carrot-based” model to encourage strong data security. Ohio, for example, uses a “safe harbor” approach, wherein businesses that maintain an information security program qualify for an affirmative defense to any state tort-based cause of action following a data breach. That program must “reasonably conform” to one of several enumerated frameworks, including HIPAA, GLBA, NIST CSF, NIST 800-53, FedRAMP, or ISO 27001/2. Other states, including Iowa, and Utah are considering a similar approach.

This model holds some appeal for businesses that are weary of retrofitting their existing security programs with elements newly dictated by legislatures. Instead, they can adhere to a program that well-suits their industry. Because that program and the compliance requirements will be updated based on threats and changing industry practice, the laws also take on an ever-green quality and remain technology-neutral. Wakanda Forever!

Most states, however, continue to “incentivize” data security using a “stick” approach that has created an impractical, ineffective, increasingly disparate patchwork of data breach notification laws. Those laws do not require businesses to maintain security programs, but they do require businesses to self-report if their security fails and a data breach results.

New York’s SHIELD law had a few new concepts to offer here too, effective October 23, 2019. The law expanded the concept of “breach” to include incidents where private information was accessed (it need not be acquired) and directs businesses to consider any “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person” in making that determination. The law also expanded the scope of covered private information to include biometric data, financial account or payment card numbers regardless of whether a security code or passwords needed to access the account is affected, and usernames and email addresses when affected in combination with passwords or security questions that could provide access to online accounts.

SHIELD thus brings yet another variation to accommodate in your legal representatives’ breach response. No two states have the same requirements, and multiple states now have more than one breach notification law. Data breach notification has simply jumped the shark. It was always a flawed concept: the premise that consumers should be informed of a breach in order to protect themselves is undercut by the low enrollment rates when breached companies offer no-cost monitoring services. In addition, there is little evidence that breach victims suffer particularly from fraud or identity theft: The Political & Economic Research Council recently found that the highest observed rate of identity theft linked to a data breach was 2.5%, while the identity theft rate in the general population averaged 5.32%. Rather than Hulk out every time a company loses their personal information, consumers generally continue to do business with the affected company.

Keeping pace with these developments can feel a little like trying to stop Thanos from getting his mitts on that last infinity stone: futile, frustrating, and fatiguing. The good news is that there are many common themes across these laws. The best first steps for a business that finds itself covered are to synthesize the requirements to build a framework, document your practices (some laws require it, and regulators will expect evidence of compliance), and start engaging in regular risk analyses and assessments to keep the program compliant, up-to-date, and effective. These laws should compel you to assemble a team, and embark on a multi-part mission to build, test, improve, document, and repeat. Helicarrier not required.