SHIELD ACT Expands Notification Obligations for Breaches Affecting New York Residents
On July 25, 2019, New York Governor Andrew M. Cuomo signed into law a new data security law, the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act. The SHIELD Act expands New York’s existing data breach notification law by broadening its scope and imposing more stringent notification and procedural requirements on businesses in the aftermath of a data breach. The Act also requires companies to implement “reasonable safeguards” to protect consumer data.
The SHIELD Act
The SHIELD Act comes in the wake of several high-profile data breaches. In his press release announcing the legislation, Governor Cuomo highlighted the data breach of the credit-reporting company Equifax, which recently agreed to pay up to $600 million to resolve federal and state investigations into the 2017 breach that compromised the information of more than 147 million people. The investigations into Equifax revealed that it had been aware of a vulnerability in its security systems months before the breach occurred, and failed to notice the breach or inform consumers of it for 76 days.
The SHIELD Act expands the definition of what constitutes a data breach, requiring companies to notify any resident of New York state when their private information is accessed—not just when it is acquired—by unauthorized third parties. If unauthorized third parties viewed, “communicated with,” used, or altered such information, the new law treats these as indications that unauthorized access took place.
Additionally, the SHIELD Act purports to expand the geographic application of New York’s data breach notification law to include any person or entity that “owns or licenses computerized data which includes private information” of a New York resident. This is a significant change from prior legislation, which applied only to persons or entities that conducted business in New York state.
Among other notable changes to prior New York law governing data breaches, the SHIELD Act also:
- Requires that companies implement “reasonable safeguards” to protect consumer data, including reasonable administrative safeguards, reasonable technical safeguards, and reasonable physical safeguards; 
- Expands the scope of information covered in the definition of a data breach to include account number, credit card number, or debit numbers (in certain circumstances); biometric information; and user names or email addresses in combination with security passwords or security questions and answers; and
- Updates notification and procedural requirements following a data breach by requiring companies to provide, in their notice to consumers, the contact information of “the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.”
- The Act provides that the New York Attorney General may seek injunctive relief, actual damages for persons harmed by a lack of notice of a data breach, and civil penalties. If the court determines that there was a knowing or reckless violation, the court may impose a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, provided that the latter amount shall not exceed $250,000. The Act also provides that for violations of the new “reasonable safeguard” requirements, the New York Attorney General can seek to enjoin such violations and can seek civil penalties of not more than $5,000 for each violation.
- All provisions of the Act, with one exception, take effect 90 days after enactment. The exception, Section 4, contains provisions requiring companies to implement “reasonable safeguards” to protect consumer data, and takes effect 240 days after enactment.
The SHIELD Act is representative of the trend towards heightened requirements regarding data handling and data breaches throughout the United States and internationally. With the steady increase in the number of data breaches, lawmakers and regulators are increasingly focused on ensuring that companies provide transparency to affected consumers (and imposing fines for companies unable or unwilling to comply). In a press release announcing the new law, Governor Cuomo stated: “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
In light of the SHIELD Act, companies wherever located should determine whether they hold data pertaining to New York residents and therefore whether the SHIELD Act’s terms apply to them. Covered entities may need to update their data security policies and controls and their incident response plans to comply with the new requirements.