On July 25, 2019, New York Governor Andrew Cuomo signed into law legislation that will beef up the State’s data privacy and security laws. Known as the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), the Act amends New York’s existing data breach notification statute by inter alia expanding the definition of what constitutes “private information” protected by the law and expanding the definition of what constitutes a breach. SHIELD also creates new data security requirements that apply not only to businesses located within the State, but also those outside the state that maintain data pertaining to New York residents.
This legislation was no doubt prompted in part by the well-publicized Equifax data breach that occurred in September 2017. That breach prompted a multi-district consumer class action lawsuit, as well as investigations by the Federal Trade Commission, the Consumer Financial Protection Bureau and various state Attorneys General. Equifax recently agreed to pay $671 million in restitution to settle all of these claims. Regardless of the size of your business, the financial and reputational consequences of any data breach can be devastating.
Changes to Definition of “Private Information”
Prior to SHIELD, New York’s data privacy law contained definitions for “personal information” and “private information.” The definition of “personal information” has not changed; it remains “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
To simplify, this information essentially means one’s name, address and telephone number; information that is in the public realm. “Private information,” on the other hand, covers non-public information. The law originally limited this to data concerning an individual’s driver’s license number and Social Security number, account number and credit/debit card numbers and passwords, however SHIELD has expanded this to include account numbers and credit/debit card numbers without passwords, “biometric information” (fingerprints, voiceprints, retina images), and user names or email addresses with passwords enabling access to an online account.
Expanded Definition of “Breach”
In another change to the law, the SHIELD Act amends the definition of what constitutes a data breach. Under the old law, a breach occurred when there was an “unauthorized acquisition or acquisition without valid authorization, of computerized data …” The new law provides that a breach occurs not only when there has been an “acquisition,” but also when there has been unauthorized access. More specifically, the law now provides that a breach occurs when there has been “unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data…”
Thus, individuals whose data has been compromised must be notified not only if data has been stolen, they must be notified if their data has been accessed without authorization.
The notification requirements in the event a breach has occurred remain unchanged. Affected individuals must be promptly notified in writing, electronically, by telephone, through a posting on the company’s website, through the media, and/or via e-mail (provided the e-mail address was not part of the improperly accessed data). Notice must include a description of the information accessed, the company’s contact information, and details on how to contact state and federal agencies for additional information.
Expanded Coverage Outside State Borders
Another important change to the law is the deletion of language which limits its scope to “[a]ny person or business which conducts business in New York state…” The law now applies to “any person or business,” meaning its scope extends outside the state. Thus a New Jersey transportation company that maintains data concerning customers who are New York residents is covered by New York’s law, and would be bound to follow its data protection and breach notification provisions. This approach is not unlike that of the data protection laws of various other states, as well as those of the European Union; all of which purport to regulate the security of their residents’ data beyond their borders.
Obligation to Comply With Reasonable Security Requirement
As was mentioned above, in addition to modifying the existing law SHIELD imposes new data security requirements as well. Specifically, the law states that “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
Businesses are automatically deemed to be compliant if they follow the data security requirements of various state and federal laws (such as HIPPA). Otherwise, compliance is achieved through implementation of a data security program that meets the criteria specified by SHIELD. Such a program includes the following components:
“Reasonable administrative safeguards” in which the business:
- designates employees to coordinate a security program;
● identifies risks, assesses the sufficiency of safeguards to control risks;
● trains and manages employees in security program practices and procedures;
● selects service providers capable of maintaining appropriate safeguards, and requires such safeguards by contract; and
● periodically adjusts the program to adapt to business changes and/or new circumstances.
“Reasonable technical safeguards” in which the business:
- assesses risks in network and software design;
● assesses risks in information processing, transmission and storage;
● detects, prevents and responds to attacks or system failures; and
● regularly tests and monitors the effectiveness of key controls.
“Reasonable physical safeguards” in which the business:
- assesses risks of information storage and disposal;
● detects, prevents and responds to intrusions;
● protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
● disposes of private information within a reasonable amount of time after it is no longer needed for business purposes.
While there is no private right of action under SHIELD, the law does permit the Attorney General to bring an action in which substantial penalties may be awarded. That’s not to say private actions cannot be brought under other applicable laws; the class action lawsuit Equifax just settled makes that clear.
In conclusion: If your company maintains data regarding New Yorker residents, SHIELD imposes important new privacy and security requirements. I encourage everyone to evaluate their current security policies and procedures to ensure they comport with the new law, and if such policies and procedures are not currently in place, to discuss the need for such policies with their attorneys.
Roberta C. Pike, Esq., Kenneth Tuch, Esq. and Laurence I. Cohen, Esq. are partners with Pike, Tuch & Cohen, LLP, with offices located at 1921 Bellmore Avenue, Bellmore, New York 11710. The firm specializes in commercial and employment litigation, including misclassification, wage and hour, employment practices, franchising and business practice matters, and transactional matters. The foregoing is provided solely as general information, is not intended as legal advice, and may not be applicable within your jurisdiction or to your specific situation. You are advised to consult with your attorneys for guidance before relying upon any of the information presented herein.