New York Expands Definition of Private Information and Imposes Groundbreaking Cybersecurity Requirements
The Stop Hacks and Improve Electronic Data Security Handling Act (SHIELD Act) recently enacted by the New York Senate brings New York in line with many states that have expanded their breach notification laws, and imposes new obligations on businesses that hold New York residents’ personal information. Effective October 2019, the Act amends New York’s general business law and state technology law to broaden the definition of “Private Information” (PI) by subjecting three new categories of data to security and breach notification requirements:
Financial account and payment card numbers that “could be used to access an individual’s financial account without additional identifying information, security code, access code, or password”
Biometric information, “meaning data generated by electronic measurements of an individual’s unique physical characteristics”
A “user name or email address in combination with a password or security question and answer that would permit access to an online account.”
The Act is a first for businesses outside the finance sector because it reaches beyond breach notification requirements and imposes cybersecurity obligations by requiring businesses that maintain New York residents’ PI to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
Businesses are SHIELD-compliant (1) if they are subject to and compliant under the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), or the NYS Department of Financial Services Cybersecurity Requirements, or (2) if they have in place a data security program with reasonable administrative, technical, and physical safeguards − the safeguards are opportunely defined in the Act and largely mirror the National Institute of Standards and Technology’s Cybersecurity Framework. Importantly, the law recognizes compliance for small businesses where security programs are appropriate for their size and complexity according to the nature and scope of the business activities and the sensitivity of personal information they possess. The SHIELD Act’s cyber provisions take effect on March 21, 2020.
The SHIELD Act also adds a layer of subjective assessment by exempting notice for “inadvertent disclosures” made by persons authorized to access the private information if reasonably determined that the exposure will not likely result in (1) misuse of such information, (2) financial harm, or (3) emotional harm in the case of unknown disclosure of email credentials as defined under “Private Information.” The Act also excuses notification requirements for organizations that are in compliance with other state and federal privacy regulations, including the GLBA, HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, or “any other data security rules and regulations of … any official department, division, commission or agency of the federal or New York State government.”
New York’s SHIELD Act is a significant step toward proactively safeguarding personal data. The Act brings us closer to effective data management customs with an expanded scope of protected information and a definitive checklist of cybersecurity procedures; however, an important consequence may be that it pushes consumers and businesses further away from regulatory clarity and equilibrium.
In addition, although New York recently failed to raise the bar with the New York Privacy Act and private rights of action, executive accountability and the evolution of data from asset to liability appear on the horizon. As states such as New York and California lead the charge for consumer protection, a growing patchwork of cybersecurity and privacy laws will continue to pose challenges for businesses operating nationally. A comprehensive cybersecurity program and regular assessment of that program will be necessary for businesses to remain complaint as new laws are introduced.