New York Governor Signs Bill Expanding Data Breach Notification Law
New York Governor Andrew M. Cuomo signed a bill into law last week that expands New York’s data breach notification law. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act brings the New York data breach notification law on par with other state data breach notification laws that have been amended in the last year or so.
The SHIELD Act expands the definition of personal information to include biometric information as well as email addresses in combination with a password or security questions and answers. The law also expands the definition of a data breach to include unauthorized access to personal information, in addition to an unauthorized use or disclosure.
The law now applies to any person or company that owns or licenses personal information of a New York resident, not just entities conducting business in the state.
The law allows companies to conduct a risk-of-harm analysis in the event of an inadvertent disclosure, which must be documented in writing. If a company determines that notice is not required because the risk assessment concludes that the access or disclosure will not likely result in the misuse of data or financial or emotional harm to the individual. If the incident involves more than 500 New York residents, the written determination must be provided to the New York Attorney General within 10 days of the determination. If the entity fails to notify the individual, the law increases civil penalties to the greater of $5,000 or $20 per record, with a cap of $250,000.
Finally, the law includes data security requirements that companies must put in place, consistent with other state laws. Companies must implement and maintain administrative, technical and physical safeguards to protect and dispose of personal information. This is similar to the requirements of Massachusetts, Rhode Island and Oregon, which require businesses to have a Written Information Security Program, also known as a WISP, to be in place.
The security requirements go into effect on March 21, 2020, with the rest of the provisions taking effect on October 23, 2019. It is a good time to determine whether your business has a WISP in place and to implement one if not.