December 9, 2019

December 06, 2019

Subscribe to Latest Legal News and Analysis

New York Expands Definition of Private Information and Imposes Groundbreaking Cybersecurity Requirements

The Stop Hacks and Improve Electronic Data Security Handling Act (SHIELD Act) recently enacted by the New York Senate brings New York in line with many states that have expanded their breach notification laws, and imposes new obligations on businesses that hold New York residents’ personal information. Effective October 2019, the Act amends New York’s general business law and state technology law to broaden the definition of “Private Information” (PI) by subjecting three new categories of data to security and breach notification requirements:

  • Financial account and payment card numbers that “could be used to access an individual’s financial account without additional identifying information, security code, access code, or password”

  • Biometric information, “meaning data generated by electronic measurements of an individual’s unique physical characteristics”

  • A “user name or email address in combination with a password or security question and answer that would permit access to an online account.”

The Act is a first for businesses outside the finance sector because it reaches beyond breach notification requirements and imposes cybersecurity obligations by requiring businesses that maintain New York residents’ PI to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.” 

Compliance

Businesses are SHIELD-compliant (1)  if they are subject to and compliant under the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), or the NYS Department of Financial Services Cybersecurity Requirements, or (2) if they have in place a data security program with reasonable administrative, technical, and physical safeguards − the safeguards are opportunely defined in the Act and largely mirror the National Institute of Standards and Technology’s Cybersecurity Framework. Importantly, the law recognizes compliance for small businesses where security programs are appropriate for their size and complexity according to the nature and scope of the business activities and the sensitivity of personal information they possess. The SHIELD Act’s cyber provisions take effect on March 21, 2020. 

Exemptions

The SHIELD Act also adds a layer of subjective assessment by exempting notice for “inadvertent disclosures” made by persons authorized to access the private information if reasonably determined that the exposure will not likely result in (1) misuse of such information, (2) financial harm, or (3) emotional harm in the case of unknown disclosure of email credentials as defined under “Private Information.” The Act also excuses notification requirements for organizations that are in compliance with other state and federal privacy regulations, including the GLBA, HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, or “any other data security rules and regulations of … any official department, division, commission or agency of the federal or New York State government.” 

Summary

New York’s SHIELD Act is a significant step toward proactively safeguarding personal data. The Act brings us closer to effective data management customs with an expanded scope of protected information and a definitive checklist of cybersecurity procedures; however, an important consequence may be that it pushes consumers and businesses further away from regulatory clarity and equilibrium. 

In addition, although New York recently failed to raise the bar with the New York Privacy Act and private rights of action, executive accountability and the evolution of data from asset to liability appear on the horizon. As states such as New York and California lead the charge for consumer protection, a growing patchwork of cybersecurity and privacy laws will continue to pose challenges for businesses operating nationally. A comprehensive cybersecurity program and regular assessment of that program will be necessary for businesses to remain complaint as new laws are introduced.

© 2019 Wilson Elser

TRENDING LEGAL ANALYSIS


About this Author

Gregory Bautista, Wilson Elser, Civil Litigation Lawyer, Data Privacy matters Attorney
Partner

Gregory Bautista is an experienced civil litigator with a focus on data breach response. He is keenly aware of the growing importance of assisting clients in developing and implementing data security risk management measures related to the receipt and use of highly sensitive and confidential data. Greg provides his clients with knowledge and guidance on information governance and e-discovery matters. He has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy.

914.872.7839