Last Thursday, Governor Cuomo signed New York’s latest data security bill – the Stop Hacks and Improve Electronic Data Security, or “SHIELD” Act. The Act, which we have followed on this blog since November 2017, imposes new notification obligations on businesses managing private data when a security breach occurs. Capital One’s recent breach underscores the significance of the changing regulatory landscape, as both businesses and the government attempt to navigate and protect against large-scale cybersecurity attacks, and the importance of understanding notification obligations, should those efforts fail.
We analyzed the SHIELD Act in several prior posts, but it’s worth a refresher here since it will come into effect next March. The Act pertains to any person or entity that possesses the personal information of New York residents; the entity need not have a physical presence nor conduct business in New York to be covered by the Act.
Beyond that core expansion of New York’s current breach notification law, the Act creates new obligations regarding data security and proper notification by doing the following:
- Expanding the definition of “private information” to include:
- bank account, debit, or credit card information in combination with other personal, identifying information, if circumstances exist where that information is sufficient to access the individual’s financial account;
- biometric information such as a fingerprint or retinal images;
- a user name or email address in combination with a password or security question and answer, permitting access to an online account.
- Broadening the definition of a security “breach” to include unauthorized access to private information, whether or not the information was actually “acquired” or obtained through a breach. To this end, the Act encourages businesses attempting to determine whether private information has been accessed by unauthorized users to consider, among other factors, whether the information was “viewed, communicated with, used or altered” without valid authorization.
- Updating the notice requirements in connection with a breach to exclude notice where authorized users caused an inadvertent disclosure of private information, and it was determined that such exposure was unlikely to “result in misuse of such information, … financial harm … or emotional harm in the case of unknown disclosure of online credentials.”
The final version of the Act also incorporates certain exceptions concerning notice to the public if a breach occurs; requirements as to notice to the Attorney General; and limits on enforcement actions brought by the Attorney General, among the other features described in our post earlier this month. Additionally, unlike California’s new privacy law, the CCPA, the SHIELD Act does not create a private right by individuals against covered entities based on a security incident.
The SHIELD Act is slated to take effect in March 2020.