New York’s new SHIELD Act:
Adds additional information types that may trigger a breach notification.
Requires notification upon unauthorized access to (not just acquisition of) protected information.
Imposes new cybersecurity obligations on persons maintaining private information about New York residents.
Privacy and data security law continues to evolve, and once again, new state laws are driving the change. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which significantly expands the state’s data breach notification law and adds new cybersecurity requirements. While the new law does not create a private right of action, it specifically authorizes the state’s attorney general to seek significant civil penalties for noncompliance.
Expansion of Data Breach Notification Law
The SHIELD Act expands the scope of the state’s breach notification law by broadening the types of covered personal information that trigger notification obligations and modifying the circumstances under which notification is required.
Existing New York law requires notification if an individual’s Social Security number, driver’s license or identification number, or financial account number (coupled with a security code or password), together with any personally identifiable information, is compromised. The SHIELD Act adds to this list biometric information (like fingerprints or retina scans) as well as user names and email addresses, if they are coupled with passwords or other information allowing access to online accounts. The new law also removes the requirement that a financial account number be coupled with a security code or password, if the account could be accessed without such credentials.
Importantly, the law previously only required notification of an unauthorized acquisition of computerized data. The SHIELD Act broadens this requirement by also mandating notification of an unauthorized access to protected information, a change that will undoubtedly result in more data incidents qualifying as reportable breaches. For example, it will sweep in situations where user credentials were exposed but not necessarily used, or where hackers were able to delete or lock files (such as through a ransomware attack) without actually acquiring the data. The new law also provides specific factors that businesses may use (such as indications that the information was viewed or altered) to determine whether there was unauthorized access. Interestingly, it provides an exception to the reporting obligation for inadvertent disclosures by authorized persons where there is little risk of harm, and it provides specific procedures that a company must take before using the exception. Notably, the new law does not change the time requirement for consumer notification – breaches must still be reported “in the most expedient time possible and without unreasonable delay.”
New Data Security Obligations
The SHIELD Act also imposes new obligations on persons maintaining private information about New York residents to “develop, implement and maintain reasonable safeguards” to protect the security of such information in both its use and disposal. In some cases, determining whether a company’s safeguards are sufficient will be relatively easy, as the SHIELD Act provides a safe harbor for organizations already covered by and complying with certain regulations, such as financial firms covered by the Gramm-Leach-Bliley Act, health care companies covered by the Health Insurance Portability and Accountability Act, and financial service providers covered by the New York Department of Financial Services cybersecurity rule. For organizations unable to take advantage of the safe harbor, the new law provides a detailed list of factors to determine whether a company has instituted sufficiently reasonable administrative, technical and physical safeguards.
A company subject to the SHIELD Act should adopt and maintain a written information security program that complies with its requirements, including addressing cybersecurity protocols, providing for employee training and designating an individual responsible for administering the program. MORE