New York’s Stop Hacks and Improve Electronic Data Security Act

The New York Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or “Act”) was signed into law by New York Governor Andrew Cuomo on July 25, 2019, adding to the myriad of data privacy, breach notification and cyber security laws developing across the United States.  The SHIELD Act provides specific safeguards for the collection, storage and disposal of Private Information (as defined below) of New York residents. Compliance with the SHIELD Act will require thoughtful implementation by businesses collecting or licensing the personal information of New York residents, whether or not such businesses are based in New York.

Important Dates:

• The data breach notification amendments to the Act take effect on October 23, 2019; and
• The data security amendments to the Act take effect March 21, 2020.

BREACH NOTIFICATION REQUIREMENTS

What Is A Breach?
The Act expands the definition of “breach” to include not just unauthorized acquisition of Private Information, as under the current law, but also unauthorized access to the Private Information. “Access” might mean that the Private Information was viewed, communicated with, used or altered by someone without authorization.

What Is Private Information?
Private Information is defined as any “Personal Information” (i.e. information concerning a person, which because of name, number, personal mark or other identifier, can be used to identify that person), combined with any one or more of social security numbers, driver’s license numbers or non-driver identification card number, account numbers, credit or debit card number, together with any required security code, access code or password.

The Act expands New York’s definition of Private Information to include:

1. Account numbers and credit or debit card numbers, without the security code access code or password;
2. Biometric information (e.g. fingerprint, voice print, retina or iris image, etc.);
3. User name or e-mail address in combination with a password or security question and answer that would permit access to an online account; or
4. Any unsecured protected health information held by a “covered entity” as defined by the Health Insurance Portability and Accountability Act (“HIPAA”).

“Private Information” does not include publicly available information which is lawfully made available to the general public from federal, state or local government records.

Who Needs To Comply?
The Act applies to any person or business that owns or licenses Private Information of a New York resident, whether or not the person or business operates or conducts business in New York. Similar to other state-specific data privacy and breach notification laws, this effectively means that if the business operates a web presence and its collection, use and storage of Private Information would possibly include that of New York residents, that business is subject to the Act.

In The Event You’ve Determined A Breach Has Occurred:

What Are Your Reporting & Notice Obligations?

• The Act mandates that in the event reporting of a breach is required by HIPAA, Gramm-Leach-Bliley Act (“GLBA”), the Health Information Technology for Economic and Clinical Health Act (“HITECHA”), or any data security rules and regulations pursuant to federal or New York laws or regulations, the affected business must also report the breach to the New York Attorney General.
• If, after careful consideration of the risk of harm to the affected parties, the business determines that the affected parties need not be notified because (1) the disclosure was an inadvertent disclosure by persons authorized to access Private Information, and (2) the entity reasonably determines such exposure will not likely result in (i) misuse of such information, (ii) financial harm to the affected persons, or (iii) emotional harm in the case of unknown disclosure of online credentials, the business must document the basis for that determination in writing. Notwithstanding the foregoing, if the breach affected more than 500 people, the business must provide the written documentation to the New York Attorney General.
• In the event of a breach where notice to the affected parties is required, that the Act requires that the notification include the telephone numbers and websites for the relevant New York and federal agencies that provide information regarding security breach response and identity theft prevention information.

Failure To Comply With The Notice Requirements.
The New York Attorney General may bring an action for injunction and in such an action, the court may award damages for actual costs or losses incurred by the person entitled to notice, including consequential financial losses. The court may also impose civil penalties of the greater of $5,000 or up to $20 per instance of a failed notification, up to $250,000. This may be in addition to any other remedies available to the court.

DATA SECURITY PROTECTION REQUIREMENTS

Who Does This Apply To?
The new data security requirements apply to any person or business that owns or licenses data which includes Private Information of a resident of New York.

What You Need To Do
If you are subject to the Act, your business will need to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the Private Information of New York residents. The Act sets forth the criterion for developing a data security program which includes reasonable administrative, technical and physical safeguards to protect the Private Information of New York residents. Such data security programs should include the development, implementation and ongoing maintenance of appropriate risk assessment and management programs, employee training practices and procedures, assessment of risks in network and software design, information processing, data transmission and storage, attack detection and response mechanisms, testing and monitoring procedures, data disposal, and prevention of unauthorized access at each stage of the data life cycle (e.g. collection, storage, transportation, destruction, disposal).

What If You Are A Small Business?
Requirements for small business compliance are slightly less burdensome. A small business security program would be compliant if it contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. A small business is defined as one with less than 50 employees, less than three million dollars in gross annual revenue for the last three years, or less than five million dollars in assets.

Risks Of Non-Compliance.
While the SHIELD Act specifically states there is no private right of action, the New York Attorney General may bring claims against entities and individuals who fail to comply with the law to enjoin the alleged activity and assess civil penalties under the New York Consumer Protection laws, which provides damages of up to $5,000 for each violation. It is worth noting that it remains to be seen what would qualify as a “violation” for purposes of assessing damages under this statute.

What If You Are Already Compliant With Other Laws?
The Act states that a business or person otherwise compliant with Title V of the GLBA, and regulations implementing HIPAA, HITECHA, and 23 NYCRR 500 Regulations would also be compliant with the data security protections of the new law. This may come as some relief as businesses struggle to keep up with the patchwork of privacy and data security legislation and regulation evolving throughout the United States.

For more information or if you have any questions about how this new development may affect your business, please contact Intellectual Property Partner Katherine E. Lewis:

Katherine E. Lewis
Partner, Intellectual Property
(646)539-3730 | kel@msf-law.com