January, 2021

Even Small Employers Have Data Protection Requirements Under the NYS “Shield” Act

By Alexandra Lapes

New York employers responding to the pandemic may have overlooked data privacy requirements that took full effect in March 2020 as part of the Stop Hacks and Improve Electronic Data Security (“Shield”) Act.  The Shield Act requires any business handling the “private information” of New York residents to comply with broadened data breach notification requirements, and for the first time it sets specific standards covered businesses and employers should take to maintain reasonable data security safeguards.  The Act explicitly requires small employers to implement a data security program that contains reasonable administrative, technical, and physical safeguards, and to provide notice to affected individuals and proper authorities in the case of a data security breach.  The Act defines a small business as any person or business with less than 50 employees; less than three million dollars in annual revenue for the past three years; or less than five million dollars in year-end assets.

The type of “private information” held by organizations that may trigger the provisions of the Shield Act is defined broadly to include any of the following data elements:

  • social security number;
  • driver’s license number or non-driver identification card number;
  • account number;
  • credit or debit card number, in combination with any required security code, access code;
  • password or other information that would permit access to an individual’s financial account;
  • account number, credit or debit card number if the number could be used to access an individual’s financial account without additional identifying information;
  • biometric information; or
  • a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.

If any one of those data elements is “accessed” or “acquired” by an unauthorized party and can be linked back to an individual’s “personal information,” meaning name, number, personal mark or other individual identifier, it falls under the Shield Act.  Encrypted data falls outside the scope of the Shield Act, unless the data is encrypted with an encryption key that has been “accessed or acquired” by an unauthorized party.

When implementing the security obligations required of all covered employers under the Act, small employers are allowed greater flexibility and will be deemed compliant if the security program is reasonable based on the size and complexity of the business. Small businesses should consider implementing appropriate measures within the following:

  • administrative safeguards, such as designating one or more employees to coordinate a data security program, identify foreseeable internal and external risks on a regular basis, track and assess the sufficiency of safeguards in controlling identified risks, and train employees in security programs, including preparing and preserving documents of compliance activities;
  • technical safeguards, such as assessing risks in network and software design, using the latest versions of software, two-factor authentication implementation, prevention and response to attacks or system failures, and regularly testing and monitoring the effectiveness of system controls and procedures; as well as
  • physical safeguards, such as assessing risk of storage and removal of private information, detecting and preventing intrusions, and physically securing access to information and disposal of that information in a reasonable amount of time.

Small employers must also consider administrative safeguards with regard to third party providers who have access to private data.  These safeguards should be documented so that the employer can demonstrate the reasonableness of its efforts to secure private information.

Small employers should also consider encrypting any and all private information of New York residents to which they have access, and storing the key to the encryption separately from the private information itself.  In doing so, they can significantly minimize the risk of data theft and similarly minimize their obligations and liabilities under the Shield Act.

Back to Top