Key changes to New York’s data breach notification statute enacted by the SHIELD Act take effect by October 23, 2019. Businesses should assess whether they are ready for compliance.
New York’s Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, which was recently enacted, makes significant changes to New York law and will affect companies holding computerized data that includes the private information of New York residents.
The SHIELD Act will usher in three major changes: It (1) expands the data elements that may trigger data breach notification to include certain biometric information, user names or email addresses, and account, credit card, or debit card numbers, if circumstances would permit account access without a security code or other information; (2) broadens the definition of a breach to include unauthorized “access” (in addition to unauthorized “acquisition”); and (3) creates a new reasonable security requirement for companies to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of” the private information of New York residents. The first two changes take effect on October 23, 2019, while the third change becomes effective on March 21, 2020.
Below is a summary of the new requirements for businesses to review and assess their compliance.
To Whom Does the Law Apply?
While New York’s existing data breach notification requirement covers “[a]ny person or business which conducts business in New York State and which owns or licenses computerized data which includes private information,” the SHIELD Act removes the first requirement and now the law only applies to “[a]ny person or business which owns or licenses computerized data which includes private information.” (Emphasis added.)
Expanded Definition of Private Information
The SHIELD Act broadens the definition of “private information” of New York residents in three significant respects. Private information will now include, in combination with a personal identifier, (1) biometric information, such as a fingerprint, voice print, or retina or iris image, and (2) an account, credit, or debit card number, if the number could be used to access an individual’s financial account without any additional identifying information, such as a security code or password. Additionally, it includes (3) “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account,” even without a personal identifier.
Access vs. Acquisition
Current New York law provides, “‘Breach of the security of the system’ shall mean unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.” (Emphasis added.)
The SHIELD Act revises how the New York State data breach law interprets a security breach, broadening the term to include any access of private information. Under the SHIELD Act, the viewing of private information by a hacker may qualify as a “breach of the security of the system” and require the company to provide notice of such data breach. Factors indicating access include whether “the information was viewed, communicated with, used, or altered without valid authorization or by an unauthorized person.”
The SHIELD Act increases the penalties for “knowingly or recklessly” violating the statute, allowing a court to “impose a civil penalty of the greater of five thousand dollars or up to twenty dollars per instance of failed notification,” up to $250,000, thereby increasing the maximum penalty of $150,000 provided for under New York’s current data breach notification law. Prior New York law limited the potential civil penalty “up to ten dollars per instance.”
Extended Statute of Limitations
The SHIELD Act also extends the statute of limitations for enforcement actions thereunder. Under existing New York law, an action must be brought within two years from “the date of the act complained of or the date of discovery of such act.” Under the SHIELD Act, the period would be within three years from either (1) the date on which “the attorney general became aware of the violation” or (2) the date of notice sent to the attorney general, “whichever occurs first,” but not later than six years following the discovery of the breach by the company (unless the company took steps to hide the breach).
Still to Come: A Reasonable Security Requirement
The SHIELD Act requires covered entities to develop, implement, and maintain “reasonable safeguards” to protect the security, confidentiality, and integrity of private information. Reasonable safeguards include conducting risk assessments, training employees, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposing of private information within a reasonable time. This requirement becomes effective on March 21, 2020.
The following are key takeaways for any "person or business that owns or licenses the private information of a New York resident.”
Prior to the effective date of October 23, 2019, for the newly amended data breach requirements:
Prior to the effective date of March 21, 2020, for the data security requirement:
While states continue to enact changes to their data breach notification standards, there are significant differences among the 50 state statutes and laws in the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. In fact, a uniform state data breach notification standard as well as greater cooperation between the government and the private sector when developing cybersecurity laws, would simplify the notification process to protect individuals’ information. We believe that making compliance more costly, cumbersome, and complex may ultimately have the unintended consequence of diverting limited resources to compliance without enhancing cybersecurity.
For further analysis on the SHIELD Act, see our article, Preparing for the New Data Breach and Security Requirements Under the New York SHIELD Act.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: