Nonprofit Update: The New York SHIELD Act – The Top 5 Things You Need to Know
Nonprofit organizations are reminded that under the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, they have until March 21, 2020 to develop and implement a data security program that contains reasonable administrative, technical and physical safeguards for protecting against unauthorized access to private information of New York residents. Here are five key things to know about the SHIELD Act.
1. The SHIELD Act applies to all businesses and nonprofit organizations.
The SHIELD Act applies to any person, business, or organization that stores personal information of New York residents. Personal information includes social security numbers, driver’s license numbers, bank account numbers, credit or debit card numbers, biometric information (such as fingerprints), and username or e-mail addresses in combination with a password or security questions. Thus, personal information includes information that an organization might ordinarily maintain about its employees, donors, volunteers, and others. The broad definition of personal information captures all employers, including nonprofit organizations.
2. The SHIELD Act contains robust minimum standards for a reasonable security program.
A data security program that contains the minimum standards set forth in the SHIELD Act will be deemed compliant. According to those standards, a data security program must, at minimum, contain the administrative, technical and physical safeguards enumerated in the statute. These include a plan for assessing reasonably foreseeable internal and external risks of unauthorized access to or use of private information and specific safeguards to control those risks. An organization that puts in place a data security program that contains the safeguards enumerated in the SHIELD Act will be found in compliance with the Act.
3. Small businesses and organizations have flexibility to adopt less stringent security safeguards.
Organizations with fewer than fifty employees, or less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets need not necessarily comply with the minimum standards under the SHIELD Act to be compliant with the Act. Rather, such small businesses may develop a security program that is appropriate for its size and complexity, given the nature and scope of the organization’s activities and the nature of the personal information collected.
4. If you are subject to health and financial data security regulations, you already comply with the SHIELD Act.
Organizations that are subject to and in compliance with health care data security regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and financial services security regulations under the Gramm-Leach-Bliley Act (GLBA) or the Cybersecurity Requirements for Financial Services Companies under regulations promulgated by the New York Department of Financial Services are deemed compliant with the reasonable security requirement and need not take further action in that regard.
5. Violation of the SHIELD Act is subject to civil action and penalties.
The Attorney General is charged with enforcing the SHIELD Act and may bring an action for civil penalties or to enjoin unlawful practices. The penalty for failing to adopt reasonable safeguards is up to $5,000 per violation. This is on top of the penalty for failing to provide the required notification in the event of a breach, which can amount to the greater of $5,000 or up to $20 per instance of failed notification, up to $250,000 per breach. The notification requirements of the SHIELD Act became effective on October 23, 2019, whereas the requirement of the establishment of a data security program takes effect on March 21, 2020.
Organizations that already have a cybersecurity policy in place should review it to ensure it is up to date and compliant with the SHIELD Act and similar data security laws in other jurisdictions in which the organization operates or from which it collects data. Those that do not have such a policy in place should evaluate the sufficiency of their internal programs and those of any third-party service provider and adopt a data security policy as soon as possible to ensure compliance with the SHIELD Act.