Businesses should review their information security programs to assess the “private information” they collect and evaluate their existing safeguards against the SHIELD Act’s data security requirements. Businesses that have taken steps to comply with similar state laws with data security program requirements that include data security elements (such as Massachusetts’ law requiring a written information security program) may find that they have a head start in compliance with the SHIELD Act.
The SHIELD Act requires covered businesses to implement and maintain reasonable data security measures to protect the security, confidentiality and integrity of private information.
Businesses that have a data security program that includes the following safeguards are deemed to be in compliance with the Act’s requirements:
(a) unencrypted personal information consisting of any information in combination with any of the following data elements: (1) Social Security number; (2) driver’s license number or other identification card number; (3) account, credit or debit card number, in combination with any other information that would permit access to an individual’s financial account; (4) account, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account without additional information; or (5) biometric information; or
(b) a user name or email address in combination with a password or security question and answer that would permit access to an online account.
A number of U.S. legal regimes require companies to take reasonable measures to protect personal information. For example, under Section 5 of the FTC Act, a business is expected to take reasonable and necessary security measures to protect sensitive personal data.
Many U.S. state laws impose requirements on businesses to take reasonable data security measures to protect personal information from unauthorized access and use.
While the SHIELD Act does not provide a private right of action to consumers, the New York Attorney General has enforcement authority and may impose civil penalties of up to $5,000 for each violation and injunctive relief.
In addition to the data security requirements noted above, the SHIELD Act also revises New York’s breach notification requirements. Please see our previous client alert for our analysis of the SHIELD Act’s changes to New York’s breach notification requirements.
 Title V of the Gramm-Leach-Bliley Act, HIPAA, New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York State government.
 Defined under the Act as any person or business with (i) fewer than fifty employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets.