Signed into law on July 25, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act creates additional protections for New York residents and their private information by amending General Business Law Section 899-aa and creating a new General Business Law Section 899-bb. The changes to the data breach notification law (Section 899-aa) are effective as of today, while the new data security compliance requirements (Section 899-bb) will become effective on March 21, 2020.
The SHIELD Act modified New York’s preexisting data breach notification law in several ways:
- Global Coverage added. Who is subject to New York’s data breach notification requirements is the most notable change to the former law. Previously, New York’s data breach law only applied to businesses conducting business in the state. The SHIELD Act removes the “conducting business” limitation, and now, regardless of whether the business is operating within New York, the SHIELD Act applies to any business that possesses a New York resident’s private information. This vastly expands the law’s coverage, with potential implications for businesses throughout the United States and abroad.
- Protected “Private Information” more broadly defined. New York’s original data breach notification law included definitions for “personal information” and “private information.” Under the SHIELD Act, the “personal information” definition remains the same, but the “private information” definition is expanded to include three new categories of protected information:
- An account, credit, or debit card number (even without additional identifying information or password);
- Biometric information, including fingerprints, voice prints, or retina images; and
- A username or email address in combination with a password or security question and answer that would allow access to on online account.
- Triggering Events Expanded. The SHIELD Act expands the definition of a triggering “breach” event to include unauthorized “access” to private information. This addition means the SHIELD Act’s notification requirements may be required even when no “acquisition” of data is achieved.
- Notice provisions altered. To avoid notice requirements for inadvertent disclosures of private information by authorized persons, organizations must conduct a harm assessment evaluation. Several other states have adopted similar provisions, which require businesses wishing to avoid the notice requirement to make a reasonable determination that such inadvertent disclosure will not likely result in misuse of that information or financial or emotional harm. Companies must make such determinations in writing and retain their records for five years. However, even if notice to the affected residents is not required, businesses must share with the state’s Attorney General any harm assessment evaluation for an incident affecting over 500 residents.
New Compliance Program Requirements
The SHIELD Act also includes an expansive set of new compliance program requirements, which will go into effect in March 2020. The newly created Section 899-bb requires all organizations possessing private information about a New York resident to implement a data security program. The SHIELD Act details the administrative, technical and physical safeguards required to protect information adequately. Examples of required steps include appointing an employee to coordinate the compliance program, conducting network risk assessments and improving physical intrusion detection mechanisms.
The Act does provide some leeway for complying with this extensive new requirement. If a business is already compliant with GLBA, HIPAA Part 500 or any other federal or New York state data security rules, regulations or statutes, Section 899-bb will not apply. There is also some flexibility written into the law for small businesses, defined as one with (1) fewer than 50 employees (2) less than $3 million in gross annual revenue in each of the last three fiscal years or (3) less than $5 million in year-end total assets. However, small businesses are not completely exempt from the compliance program requirements.
All companies, regardless of where they operate, should closely consider their responsibilities under the SHIELD Act, as penalties for non-compliance may be harsh. A knowing or reckless violation could lead to a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, with an upper limit of $250,000 in penalty. The Attorney General’s office will now have up to three years to bring an enforcement action, compared to the previous granted two years. The SHIELD Act’s text also allows the Attorney General to impose penalties for failing to comply with the compliance program requirements, even without a breach incident.
In light of the SHIELD Act, organizations must:
- Determine if they are in possession of private information for New York residents, even if they are not conducting business in New York;
- Develop or modify internal policies regarding identifying and responding to a data breach; and
- Ensure they implement administrative, technical and physical safeguards as required under the new section of the law.