New York Increases Breach Notification and Security Responsibilities
New York State has enacted S5575, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). This new law amends New York General Business Code 899-aa and adds Section 899-bb to significantly expand consumer privacy protections and the consequences of a data breach for businesses. The new law will go into effect on October 23, 2019.
New Definition of Private Information
Under current New York law, businesses must disclose a breach of “private information,” which was defined as any information that concerned a natural person that can be used to identify that natural person, such as name, number, personal mark, or other identifier (“personal information”), combined with certain other data elements as shown below. The SHIELD Act substantially broadens the definition of what constitutes a consumer’s private information to include personal information combined with other types of data elements as shown below:
|"Private Information"||Prior New York Law||SHIELD Act|
|Social Security Number||X||X|
|Driver's License Number/State ID||X||X|
|Account Number, credit or debit card number (if the account can be accessed without additional information, security code, access code, or password)||X||X|
|Biometric Data (i.e. data generated by electronic measurements of an individual’s unique physical characteristics, such as fingerprints, voice prints, retina or iris images, used to authenticate or ascertain the individual’s identity||X|
|User Name/Email Address combined with a Password/Security Question Answer used to access an online account||X|
Expanded definition of Breach of the Security of the System and New Breach Notification Requirements
The SHIELD Act also expands the definition of a “breach of the security of the system” to include both unauthorized access or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the confidentiality, security, or integrity of private data. Previously, unauthorized access or access without valid authorization was not considered a breach; only the unauthorized acquisition, or acquisition without valid authorization of private data was considered a “breach of the security of the system” that could trigger an obligation on the business to notify consumers of the breach.
Under the SHIELD Act, businesses will not be required to provide notice to individuals affected by a breach if the disclosure of private information was an inadvertent disclosure by someone authorized to access the information and the business reasonably determines that the disclosure is unlikely to result in either: (a) misuse of the information, (b) financial harm, or (c) in the case of a disclosure of online credentials, emotional harm. Businesses must document such determinations in writing and maintain the documentation for at least 5 years. Furthermore, if the breach involves more than 500 residents of New York, the business must provide the written determination that a notification is not necessary to the New York State Attorney General within 10 days after making the determination.
Furthermore, the new law provides businesses with an exclusion for notifying New York residents of a breach if notice is provided in accordance with the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA, as amended by the HITECH Act), or certain other federal or New York State laws, rules, or regulations.
The SHIELD Act also revises the methods by which business can notify individuals and the content of the notice. It maintains the preference for notification in writing, electronically, or by telephone. It also continues to permit substitute notice through email or conspicuous writing when appropriate. However, email notification is no longer permitted if an affected consumer’s access credentials (i.e. the consumer’s email address in combination with a password or security question and answer that would permit access to the online account) have been compromised. In such cases, businesses can provide clear and conspicuous notice to the consumer online when the consumer is connected to the online account from an IP address or from an online location that the business knows is customarily used by the consumer to access the online account. In addition to the previous requirements concerning content that must be included in breach notifications, breach notifications must now include the telephone number and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, which would include the FTC and possibly the New York State Attorney General.
Notice to the New York State Attorney General
The SHIELD Act requires that businesses provide the New York State Attorney General with a copy of the template of the notice sent to affected individuals. If notification is made to the U.S. Secretary of Health and Human Services pursuant to HIPAA or the HITECH Act, businesses will also need to notify the New York State Attorney General within 5 business days of notifying the secretary. These notices are in addition to the existing requirement to notify the division of state police as to the timing, content and distribution of the notices and the approximate number of people affected, and to notify consumer reporting agencies if notification is made to more than 5,000 residents in New York at one time.
New Requirements for Reasonable Security
The SHIELD Act also requires that businesses develop, implement, and maintain reasonable security safeguards to protect private information. Certain regulated businesses, such as businesses subject to the GLBA, HIPAA, or certain other federal or New York State laws, rules, or regulations, that are compliant with the security requirements in those regulations, are deemed compliant with the new security requirement.
Small businesses (those with less than 50 employees, less than $3,000,000 in gross annual revenue for the last 3 fiscal years, or those with less than $5,000,000 in total assets) are compliant if their security program contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the business, the nature and scope of the business’ activities, and the sensitivity of the personal information involved.
For all other businesses, a business will be deemed to have developed, implemented, and maintained reasonable security safeguards if it adopts a data security program that contains the following elements:
- reasonable administrative safeguards such as the following, in which the person or business:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances; and
- reasonable technical safeguards such as the following, in which the person or business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures; and
- reasonable physical safeguards such as the following, in which the person or business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Penalties for Violations
The consequences for failure to notify affected persons in the event of a breach can be severe. Upon evidence that the breach notification requirements have been violated, the New York Attorney General may bring an enforcement action for up to 3 years after the earlier of either the date on which the Attorney General became aware of the violation or the date that notice was sent to affected persons pursuant to the law. If a court finds that a business failed to satisfy the requirements of the law, the court may award actual costs or losses, including consequential financial losses, for all affected persons. If a business is found to have knowingly or recklessly violated the law, the court may impose the greater of either five thousand dollars or twenty dollars per instance of failed notification, for a maximum penalty of up to two hundred fifty thousand dollars. Courts interpreting similar laws have often applied this “per instance” language such that each individual a business fails to notify is a deemed a separate instance, which may add up quickly.
A failure to develop, implement, and maintain reasonable security measures is considered deceptive business practice, and the Attorney General can bring an action and seek an injunction and/or civil penalties of up to $5,000 for each violation.