August 13, 2020

Volume X, Number 226

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

New York Governor Signs Bill Expanding Data Breach Notification Law

New York Governor Andrew M. Cuomo signed a bill into law last week that expands New York’s data breach notification law. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act brings the New York data breach notification law on par with other state data breach notification laws that have been amended in the last year or so.

The SHIELD Act expands the definition of personal information to include biometric information as well as email addresses in combination with a password or security questions and answers. The law also expands the definition of a data breach to include unauthorized access to personal information, in addition to an unauthorized use or disclosure.

The law now applies to any person or company that owns or licenses personal information of a New York resident, not just entities conducting business in the state.

The law allows companies to conduct a risk-of-harm analysis in the event of an inadvertent disclosure, which must be documented in writing. If a company determines that notice is not required because the risk assessment concludes that the access or disclosure will not likely result in the misuse of data or financial or emotional harm to the individual. If the incident involves more than 500 New York residents, the written determination must be provided to the New York Attorney General within 10 days of the determination. If the entity fails to notify the individual, the law increases civil penalties to the greater of $5,000 or $20 per record, with a cap of $250,000.

Finally, the law includes data security requirements that companies must put in place, consistent with other state laws. Companies must implement and maintain administrative, technical and physical safeguards to protect and dispose of personal information. This is similar to the requirements of Massachusetts, Rhode Island and Oregon, which require businesses to have a Written Information Security Program, also known as a WISP, to be in place.

The security requirements go into effect on March 21, 2020, with the rest of the provisions taking effect on October 23, 2019. It is a good time to determine whether your business has a WISP in place and to implement one if not.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 213


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...