The New York SHIELD Act: A Comprehensive Overview

AdoLisa EzeaguThe New York SHIELD Act: A Comprehensive Overview

By AdoLisa Ezeagu, Esq., CIPP/US

On July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), joining a host of other states requiring businesses to implement reasonable data security practices that safeguard the personal data of state residents. The SHIELD Act updates New York’s data breach notification law and imposes new threshold data security requirements on businesses that process the private information of New York residents. This article provides a comprehensive overview of the new law and offers some high-level compliance action items.

The data breach notification amendments become effective on October 23, 2019, but companies have until March 21, 2020 to comply with the new data security requirements.

Who Is Covered?

The SHIELD Act expands the application of the state’s data breach notification law to “any person or business that owns or licenses computerized data which includes private information of a New York resident.” Previously, the law applied only to businesses conducting business within New York. The new law applies to individuals and businesses regardless of where they do business.

Data Breach Notification Amendments

The SHIELD Act updates New York’s data breach notification law by amending the state’s General Business Law § 899-aa.

New York law requires the disclosure of any security breach of a computer system where the private information of New York residents can be found. Among other things, the SHIELD Act amends the scope of information giving rise to data breach notification obligations by redefining “private information” and what constitutes a “breach of the security system.”

Private Information

The Act redefines private information to mean personal information (any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person) and any one or more of the following unencrypted data elements:

  • Social security number
  • Driver’s license or non-driver identification card
  • Financial account number with access information
  • Financial account number only if this number alone can be used to access a financial account
  • Biometric information (e.g. fingerprints or retina image)

Personal information coupled with encrypted forms of these regulated data elements also constitutes “private information” if the encryption key has been acquired or accessed by an unauthorized party.

Previously, the definition of “private information” meant personal information plus a regulated data element when either the personal information or the data element was unencrypted. Now, an unencrypted regulated data element or an encrypted regulated data element with a compromised encryption key must be present for the data set to be considered “private information.”

The Act also expands the definition of “private information” to include a username or email address coupled with the account’s access information.

Breach of the Security System

The definition of “breach of the security of the system” has been expanded to include unauthorized access of computerized data. Previously, the statute only applied to unauthorized data acquisition. The change was most likely made to include both ransomware and virtual snooping events where hackers only access data without extracting or confiscating it.

In determining whether private information has been accessed, the new law recommends the business consider indications that the data was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized third party.

The definition was also amended to apply to private information rather than personal information.

Updates to Data Breach Notice Requirements

The SHIELD Act amends New York’s old data breach law by explicitly exempting instances involving good faith access or the acquisition of private information by an employee or agent for business purposes. However, this exemption does not apply if the employee or agent in the course of business makes an unauthorized disclosure of the private information.

The Act also provides that data breach notices are not required to be issued if the data exposure was mistakenly made by an authorized person and the disclosed information is not likely to result in misuse, or financial or emotional harm. The company’s determination on this issue must be in writing and kept for at least five years. If the data exposure affects over 500 New York residents, the written determination must be submitted to the state attorney general within 10 days after the determination.

The Act removes the requirement to provide data breach notices to affected New York residents if breach notices are provided to them in compliance with the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), or any other federal or New York state data security rule, regulation, or statute. Notwithstanding, notice obligations to the New York State Attorney General, Department of State, Division of State Police, and consumer reporting agencies remain.

The data breach notice can no longer be sent to New York residents by email if the email and password or security question were the private information breached. Instead, companies will be required to use one of the other distribution methods outlined in the old statute (such as mail, phone, business website or major statewide media, etc.).

In addition to the contact information of the business making the notification, the SHIELD Act requires the notice to also include the telephone numbers and websites of the relevant state and federal agencies that provide information about security breach response and identity theft prevention. A copy of the notice template must now accompany the data breach information the business provides to the Attorney General, Department of State, and the Division of State Police.

The Act also mandates that any covered entity under HIPAA that is required to provide notice of breach of medical records to the Secretary of Health and Human Services must also notify the State Attorney General within five business days of notifying the Secretary.

The Act increases the civil penalties for failure to provide data breach notification from $10 to $20 per instance with a maximum of $250,000 rather than $150,000 per event.

The statute of limitations is extended from two to three years, thereby giving the Attorney General more time to prosecute notice violations. The clock starts ticking when the Attorney General becomes aware of the notice violation or on the date the company sends the data breach notices to residents, whichever occurs first. The Attorney General has a maximum of six years to prosecute unless the company took active steps to hide the breach.

New “Reasonable Security” Requirement

The SHIELD Act adds a new section to New York’s general business law which mandates that any person or business who owns or licenses computerized data that includes the private information of a New York resident must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information (NY GBS § 899-bb). The safeguards must also extend to the disposal of the data.

The law provides that compliance with the “reasonable security” requirement is achieved if a person or business is a “Compliant Regulated Entity” or implements a data security program that includes reasonable administrative, technical, and physical safeguards.

A “Compliant Regulated Entity” is defined as any business or person subject to and compliant with the data security requirements of:

  • Title V of GLBA;
  • HIPAA regulations and the Health Information Technology for Economic and Clinical Health Act (HITECH Act);
  • The New York Department of Financial Services Cybersecurity Regulation (23NYCRR 500); or
  • Any other federal or New York state data security rule, regulation, or statute as interpreted by the enforcing department, division, commission, or agency, or by federal or New York state courts.

The Act provides that a person or business that is not a Compliant Regulated Entity must implement a data security program which, at a minimum, includes the following safeguards:

Administrative Safeguards

1. Designate one or more employees to coordinate the security program.

2. Identify reasonably foreseeable internal and external risks.

3. Assess the sufficiency of safeguards in place to control the identified risks.

4. Train and manage employees in the security program practices and procedures.

5. Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract.

6. Adjust the security program in light of business changes or new circumstances.

Technical Safeguards

1. Assess risks in network and software design.

2. Assess risks in information processing, transmission, and storage.

3. Detect, prevent, and respond to attacks or system failures.

4. Regularly test and monitor the effectiveness of key controls, systems, and procedures.

Physical Safeguards

1. Assess risks of information storage and disposal.

2. Detect, prevent, and respond to intrusions.

3. Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information.

4. Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

A small business complies with the reasonable security requirement if its security program contains reasonable administrative, technical, and physical safeguards that are appropriate for:

  • Its size and complexity
  • The nature and scope of its activities, and
  • The sensitivity of the personal information it collects from or about consumers.

The SHIELD Act defines a small business as a person or business with less than 50 employees, earned less than $3 million annually over the last three years, or has less than $5 million in assets at year end.

Any person or business that fails to meet the reasonable security requirement will be in violation of New York’s general business laws and subject to an injunction brought by the state Attorney General and liable for up to $5,000 in civil penalties per violation.

There is no private right of action for either the data breach notification or the reasonable security law.

Cost of Data Security Non-Compliance

The national impact of the SHIELD Act on data security practices may end up largely depending on how the New York Attorney General’s office exercises its injunction powers and assesses civil penalties. On the statute’s face, it is unclear whether violations will be assessed per overall occurrence, per insufficient safeguard, or per breached record. Each one of these scenarios will result in wildly different civil penalties.

If the maximum fine is only $5,000 based on a per occurrence calculation, many larger companies may not be highly incentivized to voluntarily comply because the cost of compliance will far exceed the maximum fine amount. On the other hand, the risk of facing an injunction that can shut down data-related business activities all through the state of New York may be enough incentive for companies to voluntarily comply.

Practical Takeaways

As a foundational issue, companies (especially those that do not actively conduct business in New York) should evaluate the cost of compliance in light of the business’s need to own or license computerized data of New York residents. The company’s business case for this data will shape its compliance strategy.

Before the October 23, 2019 deadline, companies should integrate the new definition of private information into their data breach notification compliance program.

The compliance deadline for the reasonable security requirement is about seven months away. Here are some activities companies should consider completing by March 21, 2020 to comply with the SHIELD Act.

  • Comprehensive Assessments: Conduct documented risk assessments across all domains outlined in the statute and select controls to effectively mitigate the risks identified. Also, test the sufficiency of the selected controls and document the test results.
  • Update Records Retention Policies and Data Disposal Plans: Data minimization and safe data disposal are now both mandated by New York law. Companies are required to dispose of private information within a reasonable time after it is no longer needed for business purposes in a manner that the information cannot be read or reconstructed. Revisit your records retention policies and data disposal plans across all departments to verify compliance with this standard and make necessary adjustments.
  • Vendor Due Diligence and Contract Update: Develop a vendor management program that includes evaluating each relevant service provider’s capability to maintain appropriate safeguards. Update vendor contracts to require these safeguards.
  • Written Security Program: Draft and maintain a comprehensive document that describes the company’s up-to-date administrative, technical, and physical safeguards.

In Closing: Keep an Eye on New York

With the passing of the SHIELD Act, New York will certainly be a state to watch. New York Attorney General Letitia James and her team drafted the SHIELD Act with a specific aim to not only protect consumers but also to expand the Attorney General’s authority to regulate data security. Unlike other states that already have data security laws in place, New York may be one of the first states to actually enforce its reasonable security requirement on a pronounced and regular basis. Time will soon tell.

AdoLisa Ezeagu is Founder and Managing Attorney of Ezeagu Law Firm LLC, a data privacy and cybersecurity law firm which helps public and private sector organizations develop, implement, and maintain legally-defensible privacy, cybersecurity, and third party risk programs.