On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act. Originally introduced in 2017 in the wake of the Equifax breach, the new legislation amends New York’s data breach notification law and creates minimum data security requirements for certain persons and businesses that own or license data relating to New York residents.
Updated Data Breach Notification Obligations
New York’s prior data breach notification law required disclosing a data breach to affected individuals whose private information was, or was reasonably believed to have been, acquired by a person without valid authorization.
The SHIELD Act expands the definition of “private information” to include both (i) account, credit card, or debit card numbers that can be used to access an individual’s financial account without additional identifying information or security code, and (ii) biometric information, such as a fingerprint, voice print, retina, or iris image, as categories of data that may constitute private information when combined with other personal information. In addition, the SHIELD Act provides that a user name or e-mail address, together with a password or security question and answer that would permit access to an online account, constitute private information, even in the absence of any other personal information. The definition of “personal information” remains intact as information concerning a natural person that can be used to identify such natural person.
The SHIELD Act also broadens the definition of “breach” beyond unauthorized acquisition to include unauthorized “access” to computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business. To determine whether information has been accessed, a business may consider whether the information has been viewed, communicated with, used, or altered.
The SHIELD Act also allows an entity to avoid disclosing a data breach to affected individuals if the exposure of private information was an inadvertent disclosure by persons authorized to access such information, and if the entity reasonably determines, and documents in writing that, the exposure will not likely result in the misuse of such information, financial harm to the affected individuals, or emotional harm if online account credentials had been disclosed. However, if the breach affects over five hundred (500) New York residents, then the entity must provide that written determination to the New York Attorney General.
Minimum Data Security Obligations
As a significant change to New York’s data breach notification law, the SHIELD Act requires a number of “reasonable safeguards” that entities must maintain to protect private information. The act includes a safe harbor for entities that are already subject to, and in compliance with, certain other data security requirements under federal or New York law (e.g., HIPAA or the NY DFS Cybersecurity Regulation). Small businesses are excepted from the listed safeguards and are, instead, required to maintain safeguards that are appropriate to the size and complexity of the business, the nature and scope of their activities, and the sensitivity of the personal information they collect. Entities falling outside this safe harbor and exception must implement a data security program that includes reasonable administrative, technical, and physical safeguards, including:
- designating one or more employees to coordinate the security program;
- detecting, preventing and responding to attacks or system failures;
- regularly testing and monitoring the effectiveness of key controls, systems, and procedures;
- assessing risks in network and software design;
- disposing private information within a reasonable amount of time after it is no longer needed for business purposes;
- and several other safeguards.
Applicability and Enforcement
The SHIELD Act applies to any person or business that owns or licenses computerized data that includes private information of New York residents, even if it does not conduct business in New York.
If the data breach notification requirements are violated, the New York Attorney General may bring an action to enjoin the violation and seek actual damages incurred by affected individuals entitled to a breach notice, including consequential financial losses. Entities that knowingly or recklessly violate the notification requirements are subject to a civil penalty equal to the greater of $5,000 or $20 per failed notification (the latter of which is capped at $250,000).
If the data security requirements are violated, the New York Attorney General may bring an action to enjoin the violation and seek civil penalties of not more than $5,000 per violation. However, it remains unclear whether a violation would be measured in the number of individuals affected, the number of ways in which the entity failed to meet the SHIELD Act’s data security requirements, or something else. There is no private right of action for violations of the act’s data security requirements.
What This Means For You
The SHIELD Act will take effect on October 23, 2019, except for its data security obligations, which will take effect on March 23, 2020. Companies that own or license private information of New York residents should review their incident response plans and information security programs to ensure that they comply with the SHIELD Act’s specific requirements.