Advertising Law Blog

The SHIELD Act applies to “private information,” which means either of the following information:

• Personal information (such as a name, telephone number, or email address) when such personal information is coupled with other identifying information such as a social security number, driver’s license or state ID number, credit or debit card number (in combination with a security code, access code, password, or other information that would permit access to the account), or biometric information; or

• A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

The SHIELD Act requires persons and businesses who collect, use, and store “private information” to implement a data security program with the following components:

• Administrative safeguards – such as designating one or more employees to coordinate the security program; identifying reasonably foreseeable risks; assessing the sufficiency of the safeguards in place; training and managing employees in the security program; selecting adequate service providers capable of maintaining adequate safeguards; and adjusting the security program in light of business changes;

• Technical safeguards – such as assessing risks in network and software design and information processing, transmission and storage; detecting, preventing, and responding to attacks or system failures; and regularly testing and monitoring the effectiveness of key controls, systems, and procedures; and

• Physical safeguards – such as assessing risks of information storage and disposal; detecting, preventing, and responding to intrusions; protecting against unauthorized access to or use of private information; and disposing of private information within a reasonable amount of time when it no longer has a business purpose by erasing it so it can no longer be read or reconstructed.

A person or business covered by the SHIELD Act must report a breach of the security of the system to the affected individuals. A breach of the security system includes unauthorized access to, as well as unauthorized acquisition of, the private data. Such notice must be made “in the most expedient time possible” and “without unreasonable delay.” In addition, any breach that affects 500 or more New York resident must be reported to the NY State Attorney General within ten (10) days of a determination that a breach has occurred.

Compliance with the SHIELD Act is enforced by the NY State Attorney General. Failure to comply with the Act may result in injunctive relief and penalties up to $5,000 per violation for failure to implement appropriate data protection and up to $250,000 for failure to provide proper notice in the event of a data breach.

Takeaway: As the SHIELD Act applies to all persons and businesses who collect, use, or store private information of any New York residents, such persons and businesses are encouraged to take data protection seriously and implement the proper protections and training necessary to assure compliance with the Act, as well as other data privacy laws that may be applicable.