EFFECTIVE TODAY—Will the New York SHIELD Act Affect Your Organization’s Data Security?
On July 25, 2019, the New York Governor signed into law the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, effective today, October 23, 2019. In an attempt to keep pace with the use and dissemination of private information and join the increasing number of states that require reasonable data security protections, the SHIELD Act amends the state data breach notification law.
The law broadens the scope of information covered under the state breach notification law, the definition of a data breach, and the notification requirements when a breach occurs. Additionally, companies, large and small, are required to adopt comprehensive data protection programs to reasonably safeguard private information.
[1]
Three Key Changes You Need to Know
- The Act extends the reach of New York’s breach notification and data security requirements to cover any person or entity with private information of a New York resident, regardless of whether the data collector conducts business in New York state.
- The Act substantially expands the definitions of “private information” and “breach,” which could trigger notification obligations.
- The Act requires that companies with private information about New York residents adopt— by March 21, 2020— data security safeguards that comply with the provisions of the SHIELD Act.
Who Must Comply?
Any organization that maintains the private information of New York residents must comply with the SHIELD Act. This includes every employer with employees in New York if you collect private information such as Social Security numbers to complete IRS W-2 forms. Thus, the Act subjects many out-of-state companies to new data security and privacy compliance obligations regardless of corporate structure, revenues, or location.
Unlike other data protection laws, there are no threshold minimums to trigger compliance. The Act takes the size of a company into account when determining the reasonableness of data protection programs, but the Act does not provide an exemption for small businesses.
Data Breach Notification Expansion
The SHIELD Act amends New York’s existing security breach notification law to broaden notification obligations. First, the definition of “private information” now includes biometric information, e-mail addresses and corresponding password and security questions and answers, and financial account numbers without a required security code if an unauthorized person could nevertheless access the account. Second, the Act also expands the definition of a data breach to include the unauthorized access to private information, rather than solely unauthorized acquisition. In determining whether information has been accessed, businesses may consider, among other factors, indications that the information was viewed, communicated, used, or altered by a person without valid authorization.
When notice must be provided to affected individuals, the Act establishes additional notice content requirements. In addition to contact information for the business making the notification and description of the categories of information that were accessed or acquired, the notice must include telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
If you are a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and are required to provide notification of a breach, including breach of information that is not “private information” as defined by the SHIELD Act, to the Secretary of Health and Human Services, you must also provide such notification to the state Attorney General within five (5) business days of notifying the Secretary.
State entities that experience a breach must also notify the New York State Office of Information Technology Services. The Office of Information Technology Services will provide a report on the scope of the breach and recommendations to restore and improve the security of the system to the state entity. Furthermore, the Office of Information Technology Services must provide regular training to all state entities relating to best practices for the prevention of a security breach.
Low Risk of Misuse Exception to Notification
The Act provides an important carve-out from the breach notification requirement for inadvertent disclosures by persons authorized to access private information. In such a situation, if the business can reasonably determine such exposure will not likely result in misuse of private information, financial harm to the affected persons, or emotional harm in the case of unknown disclosure of online credentials, then notification is not required. The determination must be documented in writing and maintained for five (5) years. Additionally, if the incident affects more than 500 New York residents, the company must provide the written determination to the New York Attorney General within ten (10) days after the determination.
[2]
Penalties
While the SHIELD Act does not provide for a private right of action, it doubles the civil penalty from $10 to $20 per failed notification or $5,000, whichever is greater. The Act also increases the statutory cap on the penalty from $150,000 to $250,000.
New Data Security Protection Requirements
The SHIELD Act requires companies in possession of New York residents’ private information to “develop, implement, and maintain
reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.”
[3]
What Is Reasonable?
As a business subject to the SHIELD Act, to demonstrate compliance you must show that (i) you are already subject to and compliant with another data security regulation, to include the Gramm-Leach Bliley Act, HIPAA, or New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies; or (ii) you have implemented a data security program that addresses the following safeguards and considerations:
| Reasonable Safeguards |
Considerations |
| Administrative Safeguards |
Designate one or more employees to coordinate the security program;
Identify reasonably foreseeable internal and external risks;
Assess the sufficiency of safeguards in place to control the identified risks;
Train and manage employees in the security program practices and procedures;
Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
Adjust the security program in light of business changes or new circumstances. |
| Technical Safeguards |
Assess risks in network and software design;
Assess risks in information processing, transmission and storage;
Detect, prevent, and respond to attacks or system failures; and
Regularly test and monitor the effectiveness of key controls, systems, and procedures. |
| Physical Safeguards |
Assess risks of information storage and disposal;
Detect, prevent, and respond to intrusions;
Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. |
Small Business Flexibility
If you are a small business, you can demonstrate compliance by showing your security program contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of your small business, the nature and scope of your small business’s activities, and the sensitivity of the personal information your small business collects from or about consumers. Under the Act, a small business is defined as “any person or business with (i) fewer than 50 employees; (ii) less than $3 million in gross annual revenue in each of the last 3 fiscal years; or (iii) less than $5 million in year-end total assets, calculated in accordance with generally accepted accounting principles.”
[4]
Penalties
The Act does not authorize a private right of action. Instead, the attorney general may bring an enforcement action to enjoin violations and obtain civil penalties. For reasonable safeguard requirement violations, the court may impose penalties of $5,000 per violation.
Conclusion
The data breach notification expansions went into effect today, October 23, 2019. However, the new data security protection requirements do not go into effect until March 21, 2020,
[5] which allows regulated entities time to assess their existing safeguards.
Companies located in New York state or that otherwise possess private information of New York residents should promptly evaluate the sufficiency of both their internal programs and the third-party service providers they use for compliance with the comprehensive data security protection requirements of the SHIELD Act. Companies with no current New York presence should evaluate whether their data security practices comply with the SHIELD Act prior to collecting private information about any New York resident.
Ice Miller has the professionals and experience to help clients develop data security and privacy programs to comply with the requirements of the New York SHIELD Act. To speak to an attorney, please contact
Nick Merker or
Tiffany Kim. Nick Merker is a partner and co-chair of Ice Miller’s
Data Security and Privacy Practice Group. Tiffany Kim is an associate in Ice Miller’s Data Security and Privacy Practice Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[3] S.5575B § 4 (emphasis added)