Everything about data is about to change for retailers doing business in New York State. On March 21, a new law regarding data security goes into effect and retailers of all sizes have less than a month to prepare for strict regulations that make current statutes look liberal by comparison.
The law is called the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act. It is an update to current New York State data standards and has been called “sweeping in its reach” and a “dramatic expansion” of the attorney general’s office in terms of data security enforcement. It is largely irrelevant to banking and healthcare because of strict standards that already govern those businesses, such as HIPAA. But for retail, which has relied on best practices rather than strict laws, it is a game changer.
First, SHIELD applies not only to retailers headquartered in New York, it applies to any retailer doing business in the state. Under the old law, the New York attorney general could only act against a data breach. Now there’s no breach needed. Whistleblower complaints or customers who are suspicious about data collection or subsequent usage can trigger an email from the AG. The legal community expects that the law will be aggressively pursued.
“Under the Act, the New York Attorney General has both expanded enforcement authority and the ability to impose civil penalties and injunctive relief,” according to legal database firm JD Supra. “Accordingly, companies outside of the financial and healthcare industries should pay particular attention to the new data security obligations in the Act. Given these developments, companies should expect to see increased enforcement in New York this year within the cybersecurity space.”
The law draws immediate comparison to the California Consumer Privacy Act (CCPA). That law is clear about how data can be collected and used and allows private lawsuits, such as the one filed at earlier this month against Salesforce. There is no private remedy in SHIELD. But it does leave open the term “reasonable security” as a litmus test for whether a retailer has acted in good faith to protect consumer data. What is “reasonable security?” The law lists a dozen possible elements. The most important are: 1) appointing a designated employee to coordinate a security effort; 2) identifying internal and external security risks; and 3) a program that assesses the safeguards in place to control the identified risks. There are possible fines for violating the act.
According to a Verizon report, retail accounts for only 4.8 percent of data breach incidents each year compared to 24.3 percent for financial service. Government agencies see more than 70 breach incidents a day. According to the National Retail Federation, “data thefts committed against retailers receive the most attention because retail stores are household names consumers know. In addition, many state data breach laws require only retailers to notify the public of breaches without requiring banks to do the same. That can lead to the incorrect assumption that retailers are responsible for the bulk of breaches and can leave consumers in the dark about hundreds of non-retail breaches each year that put them at risk of identity theft or financial harm.”
The move also comes as Congress considers federal legislation that would build on these state regulations. Sponsored by New York Sen. Kirsten Gillibrand, the Data Protection Act would establish a new federal department called the Data Protection Agency, which would create and enforce data rules. While state level regulations are aimed at private companies that use data for actionable purposes, the federal law is said to be aimed at third-party data brokers.
“For data brokers, in particular, people have tried [to find out what they know] and most of the time they won't share it because that’s their product. The thing that has a value is all that data. So, they don’t want to give it away,” said Prof. Jennifer Golbeck, who specializes in data privacy at University of Maryland’s College of Information Studies, in a recent interview on the Denver Channel. “It’s their data. It’s about you. And that, I think, is really the fundamental problem with how we think about data in the U.S. It is my data. It’s information about me. But I don’t have a right to it. I don’t own it here.”
Experts in the legal field recommend proactive assessments of data practices, especially for smaller companies that might not have an in-house legal team.
“It is unquestionably better to find and deal with risk and vulnerabilities (and remediate them) before an attacker finds them first, and exploits them to your detriment,” said The National Law Review in a late 2019 look ahead at the SHIELD Act and other data privacy efforts. “Failure to comply with the Shield Act’s risk and vulnerability assessment requirements might also earn your organization not only a fine or penalty, but a bad day in court. Cyber risk today is enterprise risk.”
The most important strategy here is to assess current practices. Retailers compete on data. Understanding the sensitivity around data usage should be a call to get the house in order, not to stop data usage entirely.