In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that do not meet the Act’s requirements. This blog post provides a breakdown of the essential components of the SHIELD Act and information on how to comply with this potential new law.
What is the purpose of the Act?
As its title suggests, the primary aim of the Act is to minimize the occurrence of data breaches via the introduction of cybersecurity requirements. It also introduces revisions to New York’s current data breach notification law. The Act is especially notable for its wide-ranging scope, which could make its requirements applicable to all companies that handle personal data of New York residents – even if those companies do not otherwise conduct business in the state.
What information is subject to the Act?
As proposed, the Act primarily is concerned with “private information” as opposed to “personal information”: for example, both the cybersecurity and data breach notification provisions of the Act impose requirements relating to “private information,” but not “personal information.” Under current New York law, “personal information” is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person,” while “private information” is any personal information in combination with a person’s social security number; driver’s license number; or account, credit, or debit card number (in combination with additional information, such as a security code, that would allow access to the account).
The Act leaves the current definition of “personal information” intact, while revising the definition of “private information” to include financial account numbers that can be used alone to access a financial account, as well as biometric data, as types of data that, when combined with “personal information,” may lead to that data being reclassified as “private information.” The Act also states that additional types of data are considered “private information” standing alone – even in the absence of additional identifying “personal information” – including a username or email address in combination with a password or security question and answer that permits access to an online account; and unsecured protected health information covered by the federal Health Insurance Portability Accountability Act (HIPAA).
What companies would be subject to the law?
The SHIELD Act would apply to any person or entity with private information of a New York resident, not just to those that conduct business in New York State. This means that even if a business does not have an office or any employees in New York, it still may be subject to the law’s requirements – think, for example, of an app developer based in California that does not specifically market to or otherwise target consumers in New York, but allows New Yorkers to create accounts and use its services. Practically speaking, there are questions as to whether New York will be able to assert jurisdiction over companies without any presence in the state, but other states have enacted similar laws and have enforced them against businesses with no presence in their state.