SHIELD Act To Expand New York’s Data Breach Notification Requirements

July 19, 2019

By: Linda A. Malek, Jill E. Anderson, and Nora Lawrence Schmitt

UPDATE: The SHIELD Act was signed into law by Governor Andrew Cuomo on July 25, 2019.
It will become effective on March 21, 2020.

 

On June 17, 2019, the New York legislature passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act.  If signed by Governor Cuomo, the SHIELD Act will expand the scope of the state’s breach notification law and establish a new requirement for the use of “reasonable” data security requirements by entities that own or license “private information” of New York residents.  Once effective, the SHIELD Act will significantly expand the rights of New York residents and will impose significant new data security and notification duties on businesses that hold personal data of New York residents, even those companies that are not registered to do business within the state.

Summary of the SHIELD Act

Expands the scope of businesses subject to the law

The SHIELD Act broadens the application of breach notification requirements to any entity that owns or licenses computerized data containing “private information” of a New York resident, regardless of whether the entity conducts business within the state.  Companies subject to and in compliance with similar federal and state breach notification requirements such as the Gramm-Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the New York Cybersecurity Requirements for Financial Services Companies, are exempt from the requirement under the SHIELD Act to notify affected individuals.  However, these companies must still notify the state attorney general, department of state, division of state police and consumer reporting agencies in the event of a breach.

Expands the definition of “private information” subject to breach notification requirements

The SHIELD Act expands the definition of  “private information” to include: (i) account, credit, or debit card numbers if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information (while the previous version of the law was limited to account, credit, or debit card numbers only in combination with additional identifying information); (ii) biometric information, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data used to authenticate or ascertain an individual’s identity; and (iii) usernames or email addresses in combination with a password or security question and answer that would permit access to an online account.

Expands the definition of “breach”

The definition of “breach” was previously limited to the unauthorized acquisition of private information, which required some form of physical possession or control of the private information by an unauthorized individual.  The SHIELD Act broadens the definition to include unauthorized access to private information, which is a lower threshold than acquisition and includes viewing, communicating with, using or altering private information without valid authorization. 

New Data Security Requirements

Entities that are not already subject to industry-related cybersecurity regulations such as GLBA and HIPAA must develop, implement, and maintain reasonable safeguards that protect private information. The SHIELD Act contains a list of administrative, technical, and physical safeguards that businesses must maintain. 

Implications for entities operating in New York or handing NY resident data

Passage of the SHIELD Act reflects a growing concern over digital privacy as well as an increased effort by the state to enhance privacy protection for residents. 

The SHIELD Act will become effective nineteen days after it is signed into law.  It could be signed at any time from now until January 2020.  Companies operating both inside and outside of New York that own or license “private information” of New York residents should immediately begin the process of assessing compliance and identifying existing gaps.  A good way for companies to start this process is by carefully reviewing their cybersecurity policies and procedures, as well as their data breach protocols, and updating them as necessary to ensure compliance with the law.  Employees should receive robust training on all new cybersecurity measures.

For more information on how the SHIELD Act may impact your business, or how to ensure compliance, contact our Healthcare Department Chair, Linda Malek, at 212-554-7814.