March 13, 2020 by Matthew D. Dunn and Brielle E. Kilmartin
The most recent addition to the patchwork of ever-evolving data privacy laws is New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Signed into law by governor Andrew Cuomo on July 25, 2019, the law expands data security and breach notification requirements to cover any non-exempt entities (including non-profits) that collect or maintain private information of New York residents, regardless of whether the organization maintains a presence in the state. It also broadens the definition of “private information” that is subject to protection and breach reporting. The breadth of its application and expansion of obligations and requirements will have a far-reaching impact on organizations in New York and beyond the state’s borders. While the breach notification requirements went into effect on October 23, 2019, the data security obligations on all covered entities go into effect on March 21, 2020.
Undoubtedly, many businesses and entities are unprepared to comply with the new data security obligations or are unaware that the SHIELD Act applies to them. This advisory provides an overview of the Act and summarizes the requirements that go into effect soon.
Data Security Safeguards Required
The Act requires all covered businesses to “develop, implement, and maintain reasonable safeguards” to protect private information and prevent data breaches from occurring. The Act provides that a business will be deemed in compliance if, by March 21, 2020, it has a data security program with the following requirements:
- Reasonable “administrative” safeguards. These can include designating an employee to oversee security programs, identifying reasonable internal and external security risks, assessing the sufficiency of its safeguards, training employees on proper security procedures and measures, carefully selecting service providers capable of maintaining stringent security standards and contractually requiring that such measures be maintained.
- Reasonable “technical” safeguards. A security program should incorporate risk assessments of company networks, software, and information processing; detection and protection measures to prevent and respond to system failures; and regular testing and monitoring of security programs.
- Reasonable “physical” safeguards. These can include erasing electronic media when it is no longer needed, disposing of private information within a reasonable amount of time after it is no longer needed for business purposes, protecting against unauthorized access, and detecting and responding to intrusions.
Companies that already comply with similar existing regulations, including the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and the NY Department of Financial Services (DFS) cybersecurity regulation will be considered compliant with the Act’s requirements.
The Act applies more flexible standards to small businesses, defined as those with (i) fewer than 50 employees; (ii) less than $3 million in gross revenue for each of the preceding three fiscal years; or (iii) less than $5 million in total net assets. In these cases, businesses need only have reasonable safeguards appropriate for the company’s size, business complexity, and sensitivity of the data it stores and collects.
While the regulatory burdens on small companies (including some non-profits) may be less stringent, there is no definitive guidance on how this will be applied. Best practice dictates that all covered entities be proactive and put in place reasonable administrative, technical, and physical safeguards, since additional states will likely continue to enact similar measures. One of the worst operational mistakes a company can make at this juncture is to ignore new privacy laws and regulations.
Definition of “Breach” and “Private Information”
The SHIELD Act defines “private information” broadly to include personal information that can identify an individual with any one or more of the following: a Social Security number, driver’s license number, credit or debit card number, or biometric information generated by electronic measurements of an individual’s unique physical characteristics (e.g. fingerprints, voice prints, retina or iris scans). A username or email address in combination with a password or security question and answer that would permit access to a user’s online account also constitutes private information under the Act.
The Act defines “breach” to include improper access to private information by an unauthorized party that compromises the security, confidentiality, or integrity of such information even if there is no evidence that the information was stolen or used for a malicious purpose. This includes information that was simply viewed without proper authorization.
There are two exceptions to the requirement to notify individuals whose data was compromised or reasonably believed to be compromised: (a) when a breach was inadvertent by someone who had authority to access the information and it is reasonably determined that exposure will not likely result in misuse or financial harm; and (b) if notice is made to affected persons pursuant to breach notification requirements of certain other laws or regulations, such as the GLBA, HIPAA, or the New York DFS cybersecurity regulations.
Breach Notification Requirements
Under the SHIELD Act, companies must now notify consumers “in the most expedient time possible without delay” following discovery of a breach. The notice must include contact information for the notifying entity, the telephone numbers and websites of relevant agencies (federal and state) that provide information regarding security breaches, and a description of the categories of information that were or are reasonably believed to have been accessed by a person without valid authorization. The Act also provides specific methods for the notice.
Penalties: The Act’s Sword
Entities that are not in compliance with the data security safeguards by March 21, 2020, or fail to adhere to the breach notification requirements, may be subject to civil enforcement actions by the New York Attorney General to enjoin violations and assess monetary penalties. Penalties can amount to $5,000 for each safeguard violation and up to $20 per instance of failed notification—not to exceed $250,000. While the Act does not provide for private causes of action, the penalty regime can be quite costly. Time will tell how aggressive the Attorney General will be in wielding this sword.
New York is one of the many states that have adopted stringent data protection laws and regulations. Companies should take care to assess the private information they currently collect and maintain, and review and update data security and breach policies to ensure compliance with the required safeguards and breach notification requirements. Companies that do business in, or collect personal data from persons in, other states or jurisdictions should review and consider the applicable laws and regulations in those jurisdictions. Given the ever-evolving nature of this area of law, compliance can be daunting. Organizations are encouraged to consult legal counsel to assist in assessing the applicability of the Act, evaluating compliance obligations, and advising on steps to take to ensure compliance.
* * *
For more information concerning the matters discussed in this publication, please contact the authors Matthew D. Dunn (212-238-8706, firstname.lastname@example.org), Brielle E. Kilmartin (212-238-8652, email@example.com), or your regular Carter Ledyard attorney.