NY SHIELD Act: A Breach Notification Statute Reborn with Data Security Requirements
Privacy Plus+
Privacy, Technology and Perspective
NY SHIELD Act: A Breach Notification Statute Reborn with Data Security Requirements. This week, we cover the basics of New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S.5575B/A.5635), set to take effect on March 21, 2020. A link to the soon-to-be-effective statute follows:
https://legislation.nysenate.gov/pdf/bills/2019/S5575B
The NY SHIELD Act amends New York’s breach notification law, General Business Law §899-aa. Generally, it updates its definitions to expand the type of information covered, and imposes substantive data security obligation on entities that handle the private information of New York residents, in addition to expanding data breach notification requirements.
Let’s take a closer look at the NY SHIELD Act’s 5Ws: Who, What, Where, When, and Why:
Who:
The NY SHIELD Act applies to any “[a]ny person or business which owns or licenses computerized data which includes private information,” regardless of whether that person or business conducts business in New York and regardless of the size or revenue of the business. The law expands its application to any entity with “private information” of a New York resident, not just those who conduct business in New York State, and therefore contemplates an extraterritorial reach.
Unlike the California Consumer Protection Act (CCPA), about which we have previously posted (to read that post, you can follow this link: https://www.hoschmorris.com/privacy-plus-news/california-consumer-privacy-act-who-what-where-when-why-and-now), the NY SHIELD Act does not contain certain size and revenue thresholds. It applies to all “persons” and “businesses” that handle data about New York residents. The only threshold under the NY SHIELD Act relates to breach notification, which is required in the event of an incident affecting over 500 hundred New York residents.
The law also substantially broadens the scope of information covered by expanding the definition of “private information” to include financial account information, passwords, biometric, and similar information that can identify a person as follows:
(a) “Private information” shall mean either: (i) personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information [or] plus the data element is not encrypted or encrypted with an encryption key that has also been accessed or acquired: (1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information which would permit access to an individual's financial account; 27 (4) account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as fingerprint, voice print, or retina or iris image, or other unique physical representation or digital representation which are used to authenticate or ascertain the individual's identity; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
What:
The NY SHIELD Act enhances New York’s notification so that it now also imposes obligations on entities handling New York residents’ private information to, “develop, implement and maintain reasonable safeguards” to protect the security of private information. The law does not define the term “reasonable,” but it provides examples of “reasonable” administrative, technical, and physical safeguards, which if implemented as part of a data security program, will allow the regulated entity to be deemed compliant.
Examples of “reasonable administrative safeguards” include:
· Having one or more employees to coordinate the security program;
· The designation of one or more employee to coordinate the security program;
· Identifying reasonably foreseeable internal and external risks;
· Assessing the sufficiency of safeguards in place to control the identified risks;
· Training and managing employees about the security program practices and procedures;
· Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
· Adjusting the security program in light of business changes or new circumstances.
Examples of “reasonable technical safeguards” include:
· Assessing risks in network and software design;
· Assessing risks in information processing, transmission and storage;
· Detecting, preventing and responding to attacks or system failures; and
· Regularly testing and monitoring the effectiveness of key controls, systems and procedures.
Examples of “reasonable physical safeguards” include:
· Assessing risks of information storage and disposal;
· Detecting, preventing and responding to intrusions;
· Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
· Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes.
The NY SHIELD Act expressly acknowledges that administrative, technical and physical safeguards should be risk-based and “appropriate for the size and complexity” of the business, the nature and scope of its activities, and the sensitivity of the personal information handled by the business.
In addition, the NY SHIELD Act expands the definition of data breach to include “unauthorized access” in addition to “acquisition of” computerized data that compromises the security, confidentiality, or integrity of the private information maintained by a business. Hence, its coverage will apply in cases not only where private information is exfiltrated, but where it is inappropriately accessed or misused by an employee, agent or service provided of a covered business. However, the law does provide for an exception when such access to private information is in “good faith” by an “employee or agent.” Further, notification is not required “if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and such exposure will not likely result in misuse of such information, or financial or emotional harm.
Where:
The NY SHIELD Act applies to any person or business (anywhere) that owns or licenses computerized data which includes private information of New York residents. As we have noted, the notification provisions only apply if an incident affects more that 500 New York State residents.
When:
The NY SHIELD Act’s breach notification amendments were effective on October 23, 2019. Compliance with its data security provisions will take effect on March 21, 2020.
The law itself contemplates a three-year look-back period, authorizing the New York attorney general to commence an action “three years after either the date on which the attorney general became aware of the violation,” or the date that notice of a breach is sent by the business to the affected persons.” However, if a business hides a breach, the attorney general may bring an action up to six years from the date of discovery.
Why:
Governor Cuomo described the impetus for the NY SHIELD Act as follows:
"As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure…"
"The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."
For the governor’s announcement about the law, you can follow this link:
Notably, the NY SHIELD Act does not have a private right of action. However, penalties have increased, and the law is expressly enforceable by the New York attorney general, who may bring an action in the name of the people of New York to enjoin violations and obtain civil penalties for non-compliance. Penalties for failure to notify affected individuals of a breach have doubled from $10 to $20 per instance of failed notification, and the cap for breach notification penalties has increased from $100,000 to $250,000.
In sum, compliance with NY SHIELD Act now has an extraterritorial dimension, and requires regulated businesses to establish data privacy and security programs with administrative, technical, and physical safeguards. The expanded definition of “breach” to include “unauthorized access” will also enhance notification obligations, and it suggests to us that businesses should augment employee training, implement data mapping, classification and access controls, and encryption, among things, in advance of the law’s March 2020 effective date.
We think that the NY SHIELD Act, along with new data privacy and security laws emerging in other states, like the CCPA, which allows for private rights of action in certain circumstances, also suggests that global compliance is quickly becoming both a sword and shield. Making sure that a business is properly armed in this complex environment is increasingly important.
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.