The New York Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or “Act”) was signed into law by New York Governor Andrew Cuomo on July 25, 2019, adding to the myriad of data privacy, breach notification and cyber security laws developing across the United States. The SHIELD Act provides specific safeguards for the collection, storage and disposal of Private Information (as defined below) of New York residents. Compliance with the SHIELD Act will require thoughtful implementation by businesses collecting or licensing the personal information of New York residents, whether or not such businesses are based in New York.
Important Dates:
BREACH NOTIFICATION REQUIREMENTS
What Is A Breach?
The Act expands the definition of “breach” to include not just unauthorized acquisition of Private Information, as under the current law, but also unauthorized access to the Private Information. “Access” might mean that the Private Information was viewed, communicated with, used or altered by someone without authorization.
What Is Private Information?
Private Information is defined as any “Personal Information” (i.e. information concerning a person, which because of name, number, personal mark or other identifier, can be used to identify that person), combined with any one or more of social security numbers, driver’s license numbers or non-driver identification card number, account numbers, credit or debit card number, together with any required security code, access code or password.
The Act expands New York’s definition of Private Information to include:
“Private Information” does not include publicly available information which is lawfully made available to the general public from federal, state or local government records.
Who Needs To Comply?
The Act applies to any person or business that owns or licenses Private Information of a New York resident, whether or not the person or business operates or conducts business in New York. Similar to other state-specific data privacy and breach notification laws, this effectively means that if the business operates a web presence and its collection, use and storage of Private Information would possibly include that of New York residents, that business is subject to the Act.
In The Event You’ve Determined A Breach Has Occurred:
What Are Your Reporting & Notice Obligations?
Failure To Comply With The Notice Requirements.
The New York Attorney General may bring an action for injunction and in such an action, the court may award damages for actual costs or losses incurred by the person entitled to notice, including consequential financial losses. The court may also impose civil penalties of the greater of $5,000 or up to $20 per instance of a failed notification, up to $250,000. This may be in addition to any other remedies available to the court.
DATA SECURITY PROTECTION REQUIREMENTS
Who Does This Apply To?
The new data security requirements apply to any person or business that owns or licenses data which includes Private Information of a resident of New York.
What You Need To Do
If you are subject to the Act, your business will need to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the Private Information of New York residents. The Act sets forth the criterion for developing a data security program which includes reasonable administrative, technical and physical safeguards to protect the Private Information of New York residents. Such data security programs should include the development, implementation and ongoing maintenance of appropriate risk assessment and management programs, employee training practices and procedures, assessment of risks in network and software design, information processing, data transmission and storage, attack detection and response mechanisms, testing and monitoring procedures, data disposal, and prevention of unauthorized access at each stage of the data life cycle (e.g. collection, storage, transportation, destruction, disposal).
What If You Are A Small Business?
Requirements for small business compliance are slightly less burdensome. A small business security program would be compliant if it contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. A small business is defined as one with less than 50 employees, less than three million dollars in gross annual revenue for the last three years, or less than five million dollars in assets.
Risks Of Non-Compliance.
While the SHIELD Act specifically states there is no private right of action, the New York Attorney General may bring claims against entities and individuals who fail to comply with the law to enjoin the alleged activity and assess civil penalties under the New York Consumer Protection laws, which provides damages of up to $5,000 for each violation. It is worth noting that it remains to be seen what would qualify as a “violation” for purposes of assessing damages under this statute.
What If You Are Already Compliant With Other Laws?
The Act states that a business or person otherwise compliant with Title V of the GLBA, and regulations implementing HIPAA, HITECHA, and 23 NYCRR 500 Regulations would also be compliant with the data security protections of the new law. This may come as some relief as businesses struggle to keep up with the patchwork of privacy and data security legislation and regulation evolving throughout the United States.
For more information or if you have any questions about how this new development may affect your business, please contact Intellectual Property Partner Katherine E. Lewis:
Katherine E. Lewis
Partner, Intellectual Property
(646)539-3730 | kel@msf-law.com