On July 25^th, 2019 New York Governor Andrew Cuomo signed the Stop Hacks and Increase Electronic Data (SHIELD) Act. The new law amends New York’s existing data breach notification law to include new cybersecurity requirements for businesses operating in New York.

SHIELD appears to be a slightly more lenient version of the New York Privacy Act, which was voted on in June by the New York legislature, but failed to pass. The New York Privacy Act was a virtual copy of the California Consumer Protection Act (CCPA), except that it applied to all businesses and contained a private right of action (the right to sue) for all consumers.

Fortunately for auto dealerships, SHIELD does not allow for the private right of action. Only the state attorney general can bring suit against businesses that are out of compliance.

However, SHIELD expands the definition of a “breach of the security of the system.” Previously, the law defined breach as unauthorized acquisition of computerized data. Now a breach is defined as unauthorized access to or acquisition of such data.

The new law also expands the definition of New York residents’ “personal and private information” to include:

• Name
• Phone number
• User name or email address, that if combined with a password or security question would permit access to an online account
• Account number, credit or debit card number
• Security code, access code or password
• Biometric information

Perhaps most significant for auto dealers, SHIELD requires businesses to implement “reasonable measures” to protect New York residents’ private and personal information.

What are Reasonable Security Measures?

New York’s amended data breach notification law requires businesses to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information, including, but not limited to, disposal of that data.

This means that auto dealers will be required to implement a data security program that:

• Designates one or more employees to coordinate the security program
• Identifies reasonably foreseeable internal and external risks
• Assesses the sufficiency of safeguards in place to control the identified risks
• Trains and manages employees in the security program practices and procedures
• Selects services providers capable of maintaining appropriate safeguards, and requires those safeguards by contract
• Adjusts the security program in light of business changes or new circumstances
• Assesses risk in network and software design
• Assesses risk in information processing, transmission and storage
• Detects, prevents and responds to attacks or system failures
• Regularly tests and monitors the effectiveness of key controls, systems and procedures
• Assesses risks of information storage and disposal
• Detects, prevents and responds to intrusions
• Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information
• Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Auto dealerships that fail to comply with these requirements shall be deemed to have violated the law, paving the way for the attorney general to bring action on behalf of the people of the state of New York.

SHIELD takes effect in March 2020, so dealers don’t have a lot of time to prepare.

Compliance requires a sense of urgency and a detailed plan of action. Steps to take include:

• Understand where your current IT environment falls short of the required “reasonable measures.” Order a gap analysis, also known as a Risk & Vulnerability Assessment, from a qualified information technology (IT) services provider.
• Create a prioritized remediation plan that fills gaps identified.
• Implement the plan. Seek help if you are shorthanded.
• Maintain compliance with ongoing management. IT isn’t static and it’s easy to fall out of compliance if things aren’t routinely managed and monitored.