July 19, 2019
On July 25, 2019, Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which expands the scope of the state’s breach notification law and establishes a new requirement for the use of “reasonable” data security requirements by entities that own or license “private information” of New York residents. The SHIELD Act – which is effective March 21, 2020 – expands the rights of New York residents with respect to their personal data, and imposes significant new data security and notification duties on businesses that hold personal data of New York residents, even those companies that are not registered to do business within the state.
Summary of the SHIELD Act
Expands the scope of businesses subject to the law
The SHIELD Act broadens the application of breach notification requirements to any entity that owns or licenses computerized data containing “private information” of a New York resident, regardless of whether the entity conducts business within the state. Companies subject to and in compliance with similar federal and state breach notification requirements such as the Gramm-Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the New York Cybersecurity Requirements for Financial Services Companies, are exempt from the requirement under the SHIELD Act to notify affected individuals. However, these companies must still notify the state attorney general, department of state, division of state police and consumer reporting agencies in the event of a breach.
Expands the definition of “private information” subject to breach notification requirements
The SHIELD Act expands the definition of “private information” to include: (i) account, credit, or debit card numbers if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information (while the previous version of the law was limited to account, credit, or debit card numbers only in combination with additional identifying information); (ii) biometric information, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data used to authenticate or ascertain an individual’s identity; and (iii) usernames or email addresses in combination with a password or security question and answer that would permit access to an online account.
Expands the definition of “breach”
The definition of “breach” was previously limited to the unauthorized acquisition of private information, which required some form of physical possession or control of the private information by an unauthorized individual. The SHIELD Act broadens the definition to include unauthorized access to private information, which is a lower threshold than acquisition and includes viewing, communicating with, using or altering private information without valid authorization.
New Data Security Requirements
Entities that are not already subject to industry-related cybersecurity regulations such as GLBA and HIPAA must develop, implement, and maintain reasonable safeguards that protect private information. The SHIELD Act contains a list of administrative, technical, and physical safeguards that businesses must maintain.
Implications for entities operating in New York or handing NY resident data
Passage of the SHIELD Act reflects a growing concern over digital privacy as well as an increased effort by the state to enhance privacy protection for residents.
Companies operating both inside and outside of New York that own or license “private information” of New York residents should immediately begin the process of assessing compliance and identifying existing gaps. A good way for companies to start this process is by carefully reviewing their cybersecurity policies and procedures, as well as their data breach protocols, and updating them as necessary to ensure compliance with the law. Employees should receive robust training on all new cybersecurity measures.
For more information on how the SHIELD Act may impact your business, or how to ensure compliance, contact our Healthcare and Privacy & Cybersecurity Department Chair, Linda Malek, at 212-554-7814.