New York’s New Data Breach Notification Law: What Businesses Should Know
As the COVID-19 pandemic continues to demand the attention of corporate leaders and the public at large, businesses have likely had little time to get up to speed on New York’s new data breach notification law, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act, which went into effect on March 21, 2020, significantly alters New York’s prior data breach notification law, both by expanding the reach of information covered and by imposing new data security requirements on regulated entities. Given these changes, as well as expanded enforcement powers for the New York Attorney General’s office, businesses would be wise to ensure that they are in compliance with the new law.
For regulated entities, it’s critical to understand the provisions that impact their business practices. Key takeaways from the SHIELD Act include:
- Expansion of Territorial Scope: The SHIELD Act applies to any person or business that owns or licenses the private information of a New York resident. Previously, New York’s data breach law was limited to persons or entities that conducted business in New York.
- Expansion of the Definition of “Private Information”: The definition of “private information” that would trigger a breach notification is broader than the previously used definition. “Private information” now includes both “biometric information” and a “user name or email address in combination with a password or security question and answer that would permit access to an online account.” It also includes an account number and/or credit/debit card number, even without a security code, access code or password, if the account can be accessed without such information.
- Expansion of the Definition of a “Breach”: Under the previous law, a breach was defined as the unauthorized “acquisition” of private information. However, the SHIELD Act has expanded the definition of a breach to include the unauthorized “access” of computerized data that compromises the security, confidentiality or integrity of private information. The SHIELD Act defines “access” as situations where there are “indications that the information was viewed, communicated with, used or altered by a person without valid authorization or by an unauthorized person.” Such indications include whether the information is in the physical possession or control of an unauthorized person, whether the information has been downloaded or copied, or whether the information was used by an unauthorized person.
- Imposition of “Data Security” Requirements: The SHIELD Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. Rather than setting forth specific requirements for safeguarding private information, the SHIELD Act states that businesses will be deemed in compliance if:
- It is a compliant regulated entity.
- It implements a data security program having reasonable administrative safeguards, such as: designating employees to coordinate the data security program; identifying reasonably foreseeable risks; assessing the sufficiency of safeguards in place; training employees on security practices; selecting appropriate service providers; and adjusting the program to address new circumstances.
- It implements a data security program having reasonable technical safeguards, such as: assessing risks to network and software design; assessing risks to information processing, transmission, and storage; detecting, preventing, and responding to attacks; and regularly testing and monitoring the effectiveness of key controls, systems, and procedures.
- It implements a data security program having reasonable physical safeguards, such as: assessing risks of information storage and disposal; detecting, preventing, and responding to intrusions; protecting against unauthorized access to or use of private information; disposing of private information within a reasonable amount of time after it is no longer needed for business purposes.
If a regulated individual or entity fails to comply with the requirements of the SHIELD Act, the New York Attorney General is empowered to bring a civil action that carries penalties up to $5,000 per violation. Importantly, the SHIELD Act empowers the Attorney General to bring an action before a data breach occurs, based solely on a company’s failure to implement reasonable data security safeguards. Regulated individuals and entities should expect that the Attorney General’s office will fully utilize its new and expanded enforcement powers. Unlike the California Consumer Privacy Act (CCPA), however, the SHIELD Act does not create a private right of action.
Given its expanded reach and new data security requirements, the SHIELD Act is likely to have a significant impact on regulated entities’ privacy and security practices. In order to avoid enforcement penalties, businesses should ensure that they are in compliance with the SHIELD Act’s provisions.