December 3, 2020

Volume X, Number 338

Advertisement

December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis

December 01, 2020

Subscribe to Latest Legal News and Analysis

New York SHIELD Act Expands Breach Notice Requirements Starting in October

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019.

As amended, the scope of private information which, if breached, may trigger notification obligations to individuals will be broadened. Added to the existing definition of private information will be biometric information, username in combination with a password or security question and answer that permits access to an online account, and an account number or credit or debit card numbers without additional identifying information if the number can be used to access an individual’s financial account. The amendment similarly broadens the definition of a breach, which will now include “access” alone to triggering information (as opposed to the prior definition which limited a breach to “acquisition of” triggering information). In determining whether unauthorized access has occurred, the SHIELD Act now explains that businesses may consider “indications that the information was viewed, communicated with, used or altered.”

Companies who determine that misuse or financial harm is unlikely do not need to notify, but must document that determination and maintain it for at least 5 years. However, if the incident involves over 500 New York residents, the company will have to submit that determination in writing to the attorney general within ten days after making such a determination. The law also contains some minor additional modifications, like including in any consumer notice the phone number and website of the relevant state and federal agencies that provide information on security breach response and identity theft prevention and protection information.

Putting it Into Practice: Companies that maintain a nationwide breach notice plan will want to take into account these updates to the NY notice requirements, including the expanded scope of triggering information and the definition of a “breach.”

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 239
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196
Associate

Rebecca Mackin is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

312-499-6328
Advertisement
Advertisement