October 18, 2019

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

New York: Reasonable InfoSec or Not Reasonable InfoSec? That Is The Question.

Last week, the New York State Senate, at the request of the state attorney general, passed the “Stop Hacks and Improve Electronic Data Security Act” (the “Shield” Act). The bill is currently working its way through the New York State Assembly and is expected to be signed by the governor once passed. The Shield Act creates affirmative data obligations, provides factors to determine whether information has been breached, increases civil penalties for failure to notify, and extends the statute of limitations on enforcement actions.

The Shield Act would create an affirmative data obligation on regulated entities to “implement and maintain reasonable safeguards” for the personal information being collected. One way to comply with these requirements is to implement and maintain an information security program.

The Shield Act provides the basis for a compliant information security program. Entities would be deemed to have reasonable safeguards that fulfill their affirmative obligation if it implements certain administrative technical and physical measures. More specifically, businesses can designate employees to coordinate the information security program, identify and address foreseeable risks, provide employee training, and require their vendors to comply with these standards.

To comply with the Shield Act, entities will also be required to maintain reasonable technical safeguards. Technical safeguards may include assessing risk in all computer networks, software and systems, and performing ongoing testing of the various data storage platforms. Entities will be required to have reasonable data disposal practices as well.

Despite New York’s current data breach notification laws, the New York legislature is using the Shield Act to supplement obligations for companies that expose data of New York citizens. They have provided new definitions and notification requirements. A breach is defined as an “unauthorized access to or of, or access to or acquisition without valid authorization” of data. In determining whether their data has been accessed without authorization, entities may consider (i) physical possession or control by an unauthorized person, (ii) indication that the information has been downloaded or duplicated, and (iii) the opening of fraudulent accounts or other evidence of identity theft.

This new legislation perpetuates the recent trend of jacking up fines and penalties on businesses that lose or expose consumer data. Entities that knowingly or recklessly violate Shield’s notification requirements would be subject to a civil penalty of at least $5,000 and up to $250,000. The Shield Act also gives the attorney general more time to bring claims against an entity by extending the statute of limitations from one year to three years after the earlier of (i) the date in which the attorney general became aware of the incident or (ii) the business sent notice to the attorney general.

Entities that own or license computerized data of New Yorkers should consider the Shield Act’s provisions when creating or updating their administrative and technical security procedures. Compliance with the Shield Act will require diligence in contract drafting, human resources practices, and technical risk assessments.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Dominic Dhil Panakal Womble Atlanta

Dominic is a member of the firm’s IP Transactions, FinTech, and Privacy and Cybersecurity practices.

Dominic advises clients on international and domestic data privacy laws.  He also assists in drafting Software as a Service agreements, privacy policies, terms of use, and licensing contracts.