By Melanie M. Ghaw, Esq.
On April 19, 2023, New York State Attorney General Letitia James (“NYAG”) released a guide (“Guide”), available HERE, to help businesses strengthen their data security programs as required by New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). The SHIELD Act was enacted on March 21, 2020, to protect the private information of New York residents and requires covered businesses that own or license computerized data to use “reasonable safeguards” to protect that data.
As background, the SHIELD Act applies to “[a]ny person or business which owns or licenses computerized data which includes private information” of a New York resident, with the exception of small businesses with fewer than fifty employees, and with either less than three million dollars in gross annual revenue or less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
All such businesses must protect New Yorkers’ “private information,” which is defined as any information that can be used to identify a natural person, such as a name, number, personal mark, or other identifiers, and any one or more of the following unencrypted data elements:
- Social Security number
- Driver’s license or non-driver identification card
- Credit/debit card numbers
- Financial account number with access information
- Financial account number, if the number alone can be used to access a financial account
- Biometric information, such as fingerprints or retina image
- Username or e-mail address coupled with a password or security questions to access an online account
The Guide provides more details on businesses’ obligations under the SHIELD ACT, and states that they must, at a minimum, “take the reasonable steps” summarized below:
- Maintain controls for secure authentication
- Use a secure method of authentication: Use a secure alternative, such as multi-factor authentication, especially for administrative or remote accounts.
- Require lengthy and secure passwords: Compare user passwords against breached password databases and prohibit context-specific passwords.
- Secure passwords against attack: Use a method of “hashing” that is not susceptible to hacking attempts. Encrypt sensitive customer information: Implement and establish controls that encrypt sensitive customer information.
- Ensure service providers use reasonable security measures: May include selecting service providers with appropriate data security programs, building security expectations in contracts, and monitoring the service providers’ work.
- Know where you keep consumer information: Maintain an inventory of assets that track the storage of personal information to ensure appropriate security.
- Guard against data leakage in web applications: Mask sensitive information and audit web applications to ensure sensitive data is transmitted in unmasked form only when appropriate.
- Protect customer accounts impacted in data security incidents: When data breaches occur, businesses should block attackers’ access to the accounts and quickly notify impacted customers.
- Delete or disable unnecessary accounts: Delete or disable accounts with access to sensitive information when employees leave or vendor engagements end.
- Guard against automated attacks: Establish a data security program for online customer accounts to safeguard customers from “credential stuffing attacks.”
- Provide clear and accurate notice to consumers: Provide affected consumers with timely and accurate notice that conveys material information about an attack.
Based on the steps enumerated in the Guide, and the current nationwide focus on the protection of data privacy, covered employers should review their current data security protocols and policies to ensure that, at a minimum, it complies with the steps outlined in the Guide. Small businesses should ensure their security programs contain reasonable administrative, technical, and physical safeguards appropriate for the size and complexity, and nature and scope of their business.
If you have any questions relating to the Guide or would like assistance reviewing your company’s data security program to ensure they meet or exceed the requirements noted in the Guide, please feel free to reach out to the NFC Attorney with whom you typically work or call us at 973.665.9100.