New York SHIELD Act Expands Breach Notice Requirements Starting in October
Tuesday, August 27, 2019
consumer privacy, NY SHIELD Act, private information, breach notification
Print Mail Download i

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019.

As amended, the scope of private information which, if breached, may trigger notification obligations to individuals will be broadened. Added to the existing definition of private information will be biometric information, username in combination with a password or security question and answer that permits access to an online account, and an account number or credit or debit card numbers without additional identifying information if the number can be used to access an individual’s financial account. The amendment similarly broadens the definition of a breach, which will now include “access” alone to triggering information (as opposed to the prior definition which limited a breach to “acquisition of” triggering information). In determining whether unauthorized access has occurred, the SHIELD Act now explains that businesses may consider “indications that the information was viewed, communicated with, used or altered.”

Companies who determine that misuse or financial harm is unlikely do not need to notify, but must document that determination and maintain it for at least 5 years. However, if the incident involves over 500 New York residents, the company will have to submit that determination in writing to the attorney general within ten days after making such a determination. The law also contains some minor additional modifications, like including in any consumer notice the phone number and website of the relevant state and federal agencies that provide information on security breach response and identity theft prevention and protection information.

Putting it Into Practice: Companies that maintain a nationwide breach notice plan will want to take into account these updates to the NY notice requirements, including the expanded scope of triggering information and the definition of a “breach.”

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

Health-e Law Episode 8: What We Heard at HIMSS 2024 with Michael Orlando & Carolyn Metnick [Podcast]
by: Michael D. Orlando , Carolyn V. Metnick
New York Court of Appeals Rules in Favor of Insurers on COVID Coverage
by: Sylvia Waghorne
Massachusetts AG Says Consumer Protection, Civil Rights, and Data Privacy Laws Apply to Artificial Intelligence
by: James G. Gatto
DOJ Plans to Apply the New Whistleblower Rewards Pilot Program to FCPA Cases
by: Michael J. Gilbert , Jennifer N. Le
Increased Scrutiny into Agents & Brokers in the Medicare Advantage Space
by: Erica J. Kraus , Calla Simeone
CMS Issues CY2025 Medicare Advantage and Part D Final Rule
by: Christine M. Clements , Arushi Pandya
CMS Announces Medicare Advantage and Part D Rates for CY 2025
by: Carter D. Gage , Krysten Thomas
SCOTUS Declines to Review New York City’s Rent Stabilization Law
by: Ross A. Honig
New Court Ruling Pokes Holes in Contractual Limitation of Liability Language in Commercial Leases
by: David M. Gao
States Sue the Biden Administration to Stop Loan Relief Plan
by: Moorari Shah , A.J. S. Dhaliwal

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins