Earlier this month, the New York State Legislature passed a sweeping data protection law entitled, Stop Hacks and Improve Electronic Data Act (S.6933-B) (“SHIELD Act”). If the bill is signed into law by Governor Cuomo, the SHIELD Act will provide residents of New York with greater data and privacy law protections and impose requirements on companies to implement and maintain reasonable safeguards to protect the confidentiality and security of private information (even if those companies are located outside of New York). Importantly, the SHIELD Act does not provide for a private right of action in the event that a company violates the proposed new data privacy law.
What does the proposed data privacy law cover?
Overview of the Key Provisions of the Data Privacy Law
New York’s current data breach notification statute defines personal information as “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.” Private information is defined as personal information used in conjunction with a person’s social security number, driver’s license, and account numbers combined with an access code.
The SHIELD Act would amend New York’s prior data breach notification requirements by expanding the categories of “private information” to also include: (1) user name or e-mail address in combination with a password or security question and answer to permit access to an online account; (2) biometric data; (3) financial account numbers used to access accounts without additional identifying information or security code; and (4) protected health information. In addition, the SHIELD Act broadens the definition of “breach” to include instances of “unauthorized access” to private information (not just unauthorized acquisition of private information). Unauthorized access may include determining whether the information was viewed, altered, or communicated with by an unauthorized person or third-party.
The SHIELD Act provides a safe harbor where a data breach does not have to be disclosed to the affected individual if the company verifies that the private information was inadvertently disclosed by a person authorized to access that private information and the company determines that the exposure of such private information will not result in financial or emotional harm to the affected persons. Such determination must be documented in writing, maintained for five years, and provided to the New York Attorney General’s Office within 10 days after the determination is arrived at.
The SHIELD Act requires companies to implement reasonable administrative, technical, and physical “safeguards to protect the security, confidentiality, and integrity of private information” (except those subject to federal financial or health authority regulators). Examples of such safeguards include: (1) designating one or more employees to coordinate the security program; (2) selecting vendors capable of maintaining appropriate safeguards; (3) detecting, preventing, and responding to attacks or system failures; (4) preventing unauthorized access to private information; and (5) disposing of private information within a reasonable time after it is no longer needed for business purposes.
The New York Attorney General can bring a civil action, and obtain monetary penalties and injunctive relief, against entities that fail to adopt and maintain reasonable safeguards on behalf of New York residents, violations of which, can result in $5,000.00 per violation. In failure to notify cases, actual damages are available, in addition to civil penalties for knowing or reckless violations. These penalties are assessed as the greater of $5,000.00 or $20.00 per notification failure, up to a cap of $250,000.00.
Compliance with the SHIELD Act
As currently written, the SHIELD Act would apply to any person or entity that handles private information of New York residents, though standards are somewhat relaxed for small businesses. Companies should begin drafting written security policies that satisfy the SHIELD Act’s specific requirements.
However, for marketing companies that only collect a user name and/or e-mail address without collecting a password or security question/answer, the statute may not apply to them (so long as these marketing companies are not otherwise collecting “private information” that falls within the definition of the SHIELD Act).