Self-storage operators and suppliers that possess the private information of any New York resident must be in compliance with the breach-notification amendment of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act by Oct. 23. Passed in July, the New York measure broadens the scope of information covered under the state’s notification law and updates the requirements for incidents of data breach. It also updates data-security requirements, which will take effect on March 21, according to a blog post on the national Self Storage Association (SSA) website.
In addition, the SHIELD Act broadens the definition of what constitutes a data breach to include an unauthorized person gaining access to information. It requires businesses to maintain “reasonable data security,” provides standards tailored to business size, and implements protections from liability for certain entities, according to the bill summary.
Though the measure is a New York law, its scope affects any business outside the state that possesses the private information of any New York resident. The move is similar to other recent updates to data-security and privacy laws passed in California and Nevada as a way for lawmakers to keep pace with evolving threats and technology, SSA officials said. New York-based businesses that have the private information of state residents must also ensure they have required data-security safeguards and notification systems in place.
The law includes a provision that requires “small businesses” to comply with only some of the data-protection requirements. Under the measure, these are defined as those with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.
“If a [self-storage business] anywhere in the country has the private information of a customer or tenant who is a New York resident, that business is now covered by the SHIELD Act and must take the necessary steps to comply as well,” wrote Daniel Bryant, legal and legislative counsel for the SSA. “It is best to consult with a data-security attorney and/or specialist to fully understand the technical nuances of the law and what businesses must do to make sure their data security system provides the minimum protection required by the SHIELD Act.”
Under the law, private information is defined as including a resident’s personal information in combination with several data elements such as Social Security number and driver’s license number. There are also several defining provisions for combinations of information that could constitute a breach, according to an SSA memo. These include:
- Credit or debit card numbers in concert with account information, passwords, access codes, etc., that would provide access to someone’s financial account
- Personal information in combination with a username or e-mail address, along with a password or security question and answer that would permit access to someone’s online account
Enforcement of the law falls under the New York attorney general’s office, which can seek injunctive relief as well as monetary civil penalties. In instances in which a business is determined to “knowingly and recklessly” violate the SHIELD Act, enforced penalty could be $5,000 or up to $20 per violation of failed notifications, whichever is greater, but not to exceed $250,000. Failure to comply with the data-protection requirements could result in penalties up to $5,000 per violation, according to the memo.
Self Storage Association, Operators With New York Customers Must Prepare for New Data Security Requirements
New York State Senate, Senate Bill S5575B