As mentioned in my last blog post, there are data breach notification laws on the books in 48 states, including New York. On July 25, Governor Cuomo signed into law Senate Bill 5575, the “Stop Hacks and Improve Electronic Data Security Act” (the SHIELD Act), which had passed the Legislature on June 17, 2019.
The SHIELD Act amends New York’s data breach notification statute, General Business Law §899-aa, to update its definitions.* The Act also creates a new §899-bb, requiring substantive data security controls by any person or business that owns or licenses computerized data, including the defined “private information” of a New York resident.** In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act’s jurisdictional reach is expansive – if you own or license computerized private information concerning New York residents, you fall within the statute’s requirements.
When is a Company/Individual Compliant with SHIELD?
The SHIELD Act requires employers in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” “Private information” is robustly defined to include, among other things, a driver’s license number, credit or debit card number, financial account number, biometric information, and username or e-mail address with a password that permits access to an online account. Because “private information” includes an individual’s name and their social security number, every employer with employees in New York must comply with the SHIELD Act.
While the SHIELD Act does not mandate specific safeguards, it does provide that a business will “be deemed to be in compliance with” the SHIELD Act if it implements a “data security program” that includes certain administrative and technical safeguards enumerated in the SHIELD Act. Those elements include, for example:
- Designating an employee or employees to coordinate a data security program.
- Training all employees of the business in the data security program’s practices and procedures.
- Assessing internal and external risks and implementing procedures to reduce those risks.
- Vetting vendors and service providers to ensure they, too, safeguard private information.
- Properly and securely disposing of private information after it is no longer needed for business purposes.
A person or business can also demonstrate compliance with SHIELD by being a “compliant regulated entity” (i.e., it is in compliance with other regulatory schemes requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies).
When Does a Company/Individual Have to Provide a Breach Notification to a New York Resident?
In addition to requiring reasonable safeguards to protect the private information of New York residents, the SHIELD Act also amends New York’s existing security breach notification law to broaden notification obligations. As mentioned above, “private information” is robustly defined in the SHIELD Act. And, if private information is compromised, it could trigger notification obligations. For example, the inclusion of biometric information as “private” means that employers who rely upon biometric time clocks to record employee time will have a disclosure obligation if that information is compromised.
The SHIELD Act also expands the definition of “breach,” to include unauthorized access, rather than unauthorized acquisition.
The SHIELD Act adds an important carve-out from the breach notification requirement for inadvertent disclosures of private information that are not likely to result in misuse of information. To benefit from this exception, the employer must:
- Document its determination that the inadvertent disclosure is not likely to result in misuse.
- Maintain that documentation for five years.
Moreover, if the incident were to involve the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within ten days of that determination.
While the SHIELD Act does not permit a private right of action, enforcement by the state’s attorney general is provided for. The SHIELD Act also doubles the penalty recoverable by the attorney general per failed notification, and increases the maximum penalty from $100,000 to $250,000.
Although what exactly the SHIELD Act means for individuals and businesses remains to be seen as enforcement actions are initiated and consent decrees and judicial interpretations are provided, I suspect many residents welcome the SHIELD Act, given that New York’s reporting obligations have lagged somewhat behind other states.
* The breach notification amendments take effect on October 23, 2019.
** The data security safeguard implementation takes effect on March 21, 2020.