The New York SHIELD Act (“SHIELD”), which went into effect in 2020, provides needed clarity around what constitutes reasonable data security. The use of the word reasonable serves a legal purpose; terms like “reasonable cause” or “reasonable doubt” are more common. But what does reasonable data security mean?
The law applies to all organizations (nonprofit or otherwise) that collect private information belonging to anyone who is a resident of New York State, and this includes employees, constituents, volunteers — any person. Examples of private information include social security number, driver's license number, account numbers, and biometric information.
Reasonable means that the data security measures that a global Fortune 100 company puts in place are likely to be different in scope from those which a 20-person nonprofit organization would institute.
That said, if a 5-person nonprofit collects highly sensitive personal data — legal records, information belonging to minors, sensitive healthcare information — that organization would need to take precautions in a manner that is reasonable given the nature of the information.
While there is a seemingly subjective aspect to reasonableness, NY SHIELD provides clear criteria for understanding what practices and protocols need to be in place to ensure data security.
Here is a checklist to better understand what constitutes reasonable data security:
Is there a person at your organization who is responsible for the administration and management of an organizational cybersecurity program?
Has your organization conducted a risk assessment to identify threats and vulnerabilities regarding the data that you use?
Does your organization have a Data Security Policy or Data Breach Policy that is in place and understood by employees?
Does your organization provide cybersecurity training to all employees at least annually?
Does your organization have a mechanism in place to conduct periodic phish testing with all staff and then review the results?
Does your organization have a process for selecting and contracting with service providers who are capable of showing that they maintain reasonable safeguards?
Does your organization have a process for regularly reviewing your cybersecurity program?
If there was a breach at your organization, would you be able to notify all affected New York residents whose records are in your systems within 72 hours?
Has your organization conducted a risk assessment to identify threats and vulnerabilities in your network or software systems?
Does your organization have a data inventory that classifies data and documents collection, storage and transfer points?
Does your organization have an Incident Response Plan in place that staff can utilize in the event of an attack or system failure?
Does your organization have processes for regularly testing and monitoring all key features of the security program?
Does your organization have a process for assessing risks associated with information storage and disposal?
Does your organization have a system for detecting, preventing and responding to physical intrusions?
Does your organization have safeguards in place to prevent unauthorized access during or after collection, transportation and destruction or disposal of information?
Does your organization have a Data Retention Policy or Data Deletion Policy that is understood and followed by all staff?
Does your organization have a process for disposing of private information securely when that information is no longer needed?
We are fans of the NY SHIELD Act because unlike the privacy laws that are passing in different states across the country, it defines such clear criteria for understanding what constitutes reasonable data security. We are also aware that such a comprehensive data protection law may be daunting for organizations who are not familiar with cybersecurity and data protection.
RoundTable can help you understand your organization’s risks and build a program that meets the requirements for reasonable safeguards under this law and protects your data.