Starting in March 2020, companies that maintain or process New York residents’ personal information will need to comply with New York’s stringent new data security requirements.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act amends New York’s data breach notification law and places more stringent data security requirements on all businesses that process or maintain the personal information of New York residents. The Act applies to “[a]ny person or business which owns or licenses computerized data which includes” New York residents’ “private information” and does not exempt non-profit organizations.1 Although the Act does not include a private right of action, it authorizes the New York Attorney General to pursue injunctive relief and civil penalties. On October 23, 2019, New York’s expanded data breach requirements took effect.
In addition to the data breach amendments, the SHIELD Act imposes new data security requirements on covered entities that will take effect on March 21, 2020. The expanded breach notification law is now one of the strictest in the country, and the data security requirements are unique among the states. Failure to comply could subject companies to injunctions and significant civil penalties with no aggregate cap. To avoid these penalties, companies should closely examine the new requirements and consider implementing more robust data security programs and practices.
Data Breach Notification Amendments
The SHIELD Act amends New York’s existing data breach notification law in several respects, including by increasing its jurisdictional reach. Previously, New York’s data breach notification law only applied to entities conducting business in the state. Under the Act, covered entities include any entity that “owns or licenses computerized data which includes private information,” and its duties are triggered by any breach involving the private information of New York residents.2 The Act also broadens the definition of “private information” to include biometric information (including, but not limited to, fingerprint, retina, or voice recognition data); a username or email address in combination with either a password or security questions and answers; and an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.3 Before this amendment, “private information” was limited to (1) a social security number; (2) a driver’s license number or non-driver identification card number; or (3) an account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The new definition expands the range of breaches that could trigger companies’ notification duties. For example, any company processing or maintaining any kind of biometric data corresponding to New York residents must notify consumers in the event of a breach containing that data in combination with any other non-private information.
The SHIELD Act also expands the definition of a breach to include unauthorized “access” of computerized data that compromises the security, confidentiality, or integrity of private information—no longer limiting breach to the unauthorized “acquisition” of such data.4 The Act provides some illustrative, non-exhaustive examples of what may constitute unauthorized access or acquisition, including indications that information was viewed by an unauthorized individual, indications that information was downloaded, and indications of unauthorized use such as reports of identity theft.5
Notably, the SHIELD Act includes a risk-of-harm exception to its notification requirements. Covered entities are not required to notify affected individuals of a breach if (1) the breach resulted from an “inadvertent disclosure by persons authorized to access private information”; and (2) the entity “reasonably determines such exposure will not likely result in” misuse of the information or financial or emotional harm to the affected individual.6 A covered entity is required to document the risk-of-harm determination in writing, maintain that determination for at least five years, and provide the determination to the attorney general within ten days if the breach affected more than 500 New York residents.
New Data Security Requirements
The SHIELD Act also requires all covered entities to maintain “reasonable” data security safeguards. Although small businesses and non-profit organizations are subject to this safeguards requirement, the Act provides that safeguards should be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”7 The Act defines a small business as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.8 The Act lists non-exhaustive examples of security measures that would meet the reasonable data security measures standard, including: designating personnel to coordinate the security program; training employees in security practices and procedures; conducting internal and external risk assessments; maintaining reasonable retention and deletion practices for consumers’ personal information; and regular testing and monitoring of key controls and security systems.9
Finally, the SHIELD Act increases civil penalties for non-compliance. Penalties for failure to notify affected individuals of a breach have doubled from $10 to $20 per instance, and the cap for breach notification penalties has increased from $100,000 to $250,000.10 The attorney general may enforce the new data security requirements by imposing penalties of up to $5,000 per violation with no cap on aggregate penalties.11 The data security requirements are tied to New York’s consumer protection laws for enforcement purposes, such that failure to comply with the requirements will be deemed a violation of N.Y. Gen. Bus. Law § 349 and subject to the penalties authorized in § 350-d.12 N.Y. Gen. Bus. Law §§ 349 and 350-d implement New York’s deceptive trade practices and false advertising laws, respectively. By tying the SHIELD Act to these laws, New York has expanded the breadth of the attorney general’s consumer protection enforcement powers.
The SHIELD Act expressly excludes any private right of action, so companies do not face any greater risk of consumer class actions as a result. However, the decision to link penalties to consumer protection law means that companies must look to that area of law for guidance on enforcement and interpretation. In other consumer protection contexts, courts have deferred the imposition of civil penalties under § 350-d until after a separate hearing to determine the number of violations.13 Because § 350-d is a false advertising law, past calculations have included “each improper advertisement” or “each improper consumer transaction.”14 How this will translate to the data security context remains an open question, but the lack of any cap on aggregated penalties carries a significant risk for non-compliant companies. In the remaining months before the data security requirements take effect, companies should seek compliance counseling to minimize their exposure to potentially severe aggregated penalties.
To meet these new requirements, companies should consider looking to federal and state data security best practices. In addition to the security measures listed in the statute—including designating dedicated security personnel, training all employees on security practices, and conducting regular risk assessments—companies could consider the NIST Cybersecurity Framework and the New York State Department of Financial Services Cybersecurity Regulation (NYDFS Regulation) as resources to identify reasonable data safeguards. The NIST Framework is a thorough and flexible set of best practices intended to guide organizations through the steps of creating a cybersecurity program: from scoping and prioritization, to risk assessment, to the creation and implementation of an action plan appropriate to the size and needs of the organization. The NYDFS Regulation, while only applicable to certain financial institutions operating in New York, details the components of a robust cybersecurity program and provides concrete steps for implementation. Although these frameworks may not be directly applicable to entities subject to the SHIELD Act, they provide valuable sources of best practices that, if implemented, could mitigate the risk of penalties under the Act.
With the increased data breach reporting requirements now operative and the data security requirements set to take effect in early 2020, New York will be a critical jurisdiction to watch for trends in data breach and data security enforcement.