October 22, 2019

CSG Law Alert: The Long Reach of New York's SHIELD Act

States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law. The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.

Effective March 2020, the proactive portion of the SHIELD Act will:

• Apply to any business that has personal information (“PI”) regarding any New York resident
• Require those businesses to adopt proactive measures to safeguard that PI
• Require businesses to vet vendors entrusted with or with access to that PI

The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).

While the amendment to the breach notification requirements may not greatly impact businesses’ current practices, the proactive requirements will be felt by any business that is not already taking “reasonable” measures to safeguard PI in their control.  And if you are a vendor to any of these businesses, and you are not prepared to adopt the requisite proactive measures to protect PI entrusted to you, then you may lose that business.

Expanded Definition of Private Information

The SHIELD Act broadens the scope of private information that must be protected and, if accessed or acquired, triggers a breach notification obligation.  The SHIELD Act defines “private information” as personal information¹ plus any of specified data elements², “when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired.”  As such, businesses should consider (if they are not already) encrypting PI that they control or process, and storing the decryption key in a separate location.

“Private information” also includes an individual’s online account credentials³ if they would permit access to such account.  New York, as are many other jurisdictions, has now included biometric data in its definition of PI.

Clarifies the Definition of Breach – Includes Access

As noted above, the SHIELD Act clarifies when a data breach occurs.  Prior to the SHIELD Act, a breach was defined as the improper acquisition of data that compromised private information.  The SHIELD Act, however, makes clear that a breach occurs when there is mere improper access to data that could compromise a New York resident’s private information, whether or not such data is actually acquired.

Increased Territorial Reach

The SHIELD Act also expands the territorial reach of New York’s data protection and data breach notification laws.  Under the prior law, only persons or businesses that operated in New York were subject to the law’s requirements.  The SHIELD Act eliminates that territorial limitation such that any person or business that possesses a New York resident’s private information must protect that data, and report a breach of such data to the impacted resident(s) and the appropriate state authorities.⁴

New Data Security Provisions

Finally, the SHIELD Act requires persons or businesses that have New York residents’ private information to institute “reasonable safeguards” to protect that information.⁵ Reasonable safeguards will generally involve the person or business instituting a “data security program” that implements administrative, technical, and physical safeguards to protect the data.  The SHIELD Act does offer some guidance as to what such safeguards would include:

• Designating a security coordinator or a chief information security officer
• Identifying internal and external risks and undertaking a risk assessment
• Adopting and implementing appropriate safeguards for the physical environment in which the business operates
• Implementing technology and business practices to protect against unauthorized access to or use of private information
• Training personnel on cyber-mindfulness and the business procedures and policies related to data privacy and security
• Vetting vendors that may have access to private information to confirm those vendors have appropriate security policies and procedures
• Assessing the adequacy of security features in the technology employed by the business, including software, cloud environments and applications
• Implementing appropriate technology to prevent and detect system attacks and failures
• Adopting an incident response plan to enable the business to quickly respond to an attack and resume “normal” operations
• Securely disposing of and destroying private information after it is no longer needed for business purposes so that the information cannot be read or reconstructed

Businesses that are subject to certain statutory frameworks⁶ may be deemed to be in compliance with the legislation based on their current practices.  In addition, small businesses⁷ are required to implement and maintain reasonable safeguards “appropriate to the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”  Small businesses are not, however, exempt.

Enforcement

While the amendments to the breach notification law have not created a private cause of action, leaving enforcement in the hands of the Attorney General, the fines for failure to provide timely notice of a breach are at least two times those imposed under the prior law.⁸

---

¹ Personal information is “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person[.]”

² The data elements enumerated include:

• social security number;
• driver’s license number or other identification card;

(iii) “account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;”

(iv) “account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password;” or

(v) “biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics . . . which are used to authenticate or ascertain the individual’s identity.”

³ E.g., user name, e-mail address, password, security question and answer.

⁴ A breach must be reported to the New York Attorney General, the New York Department of State, and the New York Division of State Police.  If more than 5,000 New York residents must be notified of a breach, the breach must also be reported to consumer reporting agencies.

⁵ Businesses that fail to comply with the data security provisions are deemed to have breached the consumer protection law, and are subject to a civil penalty not to exceed $5,000 for each violation.

⁶ E.g., HIPAA, GLBA, and 23 NYCRR 500 et. seq.

⁷ “Small business” is defined as a “business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.” (emphasis added).

⁸ Businesses that fail to comply with the breach notification provisions can be held liable for the “actual costs or losses incurred by a person entitled to notice.”  In addition, if the business violated the provision “knowingly or recklessly,” a civil penalty can be imposed.  The civil penalty is the greater of (i) $5,000 or (ii) $20 per instance of failed notification, up to a maximum of $250,000.