Written by Susan Kohn Ross and Timothy Carter

While much attention and focus has rightly been placed on the California Consumer Privacy Act and the dramatic expansion of privacy rights for California residents that it heralds, a number of other states have quickly followed suit, working to strengthen their respective data security and privacy laws.  Signed into law on July 25, 2019 by Governor Andrew Cuomo, New York enacted the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”).  The SHIELD Act amends New York State’s data breach notification law, by broadening existing the state’s data breach notification requirements and requires covered businesses to have “reasonable” data security safeguards.

Among other things, the Act:

• Broadens the scope of “Private Information” covered under the Act to include biometric information (e.g., a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data, which are used to authenticate or ascertain the individual’s identity), and a user name or e-mail address, in combination with a password or security question and answer, that would permit access to an online account.  N.Y. Gen. Bus. Law § 899-aa(1)(b).
• Extends the Act’s jurisdiction to include any person or business, even those outside of the state, owning or licensing computerized data containing “Private Information” of a New York resident, regardless of whether the person or business otherwise conducts business in New York; if the affected individual is a resident of New York, the person or business owning or licensing computerized data containing “Private Information” of a New York resident must comply with the Act.  Id. § 899-aa(2).
  • Notably, the SHIELD Act also adds a significant exception to breach notification.  Under the new “harm to the individual” standard, a business may be exempt from the breach notification requirements if the “exposure of Private Information was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” Id. § 899-aa(2)(a).
• Expands the definition of a “Breach” to include both the unauthorized acquisition of Private Information and the unauthorized “access” of Private Information.  Id. § 899-aa(1)(c).
• Requires companies to adopt reasonable administrative, technical, and physical safeguards in order to maintain the security, confidentiality, and integrity of Private Information.  Id. § 899-bb(2)(b)(ii)(A)-(C).
  • Rather than mandating specific protections, the Act provides that a business will “be deemed to be in compliance” if it implements a data security program containing the following:
    • reasonable administrative safeguards, including but not limited to, the designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, and selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract;
    • reasonable technical safeguards, including but not limited to, risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and
    • reasonable physical safeguards, including but not limited to, detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.
• Imposes new reporting requirements for “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  In the case of a data breach, the Act requires covered entities to report to the New York State Attorney General for any data breach event that under HIPAA would require reporting to the Secretary of Health and Human Services.  This reporting requirement exists even if the data at issue does not count as Private Information under New York’s breach notification law.  Id. § 899-aa(9).
• Strengthens penalties for violations of New York’s breach notification law, including by increasing the penalty amount per instance of failed notification; imposing new civil penalties for certain failures to comply with the new data security standards; and authorizing the New York Attorney General to bring a civil action and seek restitution against any businesses that fail to comply with the Act’s enhanced data security and breach notification requirements and to recover uncapped civil penalties of up to $5,000 per violation for data security missteps.  Id. § 899-aa(6)(a); § 899-bb(2)(d)-(e).

The SHIELD Act’s breach notification provisions took effect on October 23, 2019, and the Act’s new data security requirements took effect on March 21, 2020.