On July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.
Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements. First, private information has been expanded to include:
- (a) financial account numbers that can be used alone to access a financial account;
- (b) biometric data used to authenticate an individual’s identity;
- (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
- (d) unsecured protected health information covered under HIPAA.
These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.
Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.
Moreover, the SHIELD Act also expanded its data breach notification requirements to mandate compliance by any person or business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the person or business conducts business in New York. It provides for exemptions under certain circumstances, such as when the “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” Additionally, while businesses that are already regulated by and comply with data breach notice requirements under certain state and federal cybersecurity laws, such as HIPAA, GLBA and NY DFS Reg. 500, must also notify the state Attorney General, Department of State Division of Consumer Protection and Division of the State Police, they need not further notify affected New York residents.
New “Reasonable” Data Security Requirements.
The SHIELD Act also enacted requirements for covered entities to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data, and the law itself provides examples of “reasonable practices.” Again, compliance is presumed for businesses that are already in compliance with applicable laws such as HIPAA and the GLBA. Notably, there is a limited exemption to the requirement for small businesses, which are defined as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.
Enforcement and Penalties for Non-Compliance.
The SHIELD Act does not provide consumers with a private right of action, but instead permits an attorney general to bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are neither reckless nor knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice including consequential financial losses. For reckless or knowing violations, a court may impose increased penalties of the greater of $5000 dollars or up to $20 per instance for a maximum of $250,000. For violations of the reasonable safeguard requirements, a court may impose penalties of not more than $5,000 per violation. The time for commencing an action under the law has also been increased from two to three years from the date on which the attorney general became aware of the violation, or the date that the covered entity provide notice of the breach. No action may be brought after six years from the date the breach was discovered unless the company took steps to hide the breach.
The SHIELD Act takes effect on March 21, 2020.