On June 17, 2019, the New York Legislature passed the “Stop Hacks and Improve Electronic Data” Act (S.6933-B) (SHIELD). If signed by the governor (expected soon), SHIELD will provide stronger protections for New Yorkers by imposing strict cybersecurity requirements on all companies that handle their private information, even if those companies are located elsewhere. SHIELD updates New York’s existing privacy protection laws governing data breach notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight over data breaches impacting New Yorkers. Below, we provide an overview of the key changes, and how those changes will impact companies handling personal information belonging to New York residents.
Overview of key changes
Expands the types of “Private information” subject to breach notice duties. SHIELD expands the types of “private information” subject to mandatory reporting duties to include: (1) financial account numbers that can be used to access a financial account (even without a security code or PIN), (2) biometric data, (3) protected health information under HIPAA, and (4) username or e-mail address in combination with a password or security question and answer that permits access to an online account.
Broadens the definition of “data breach” to include unauthorized “access.” SHIELD expands the definition of a “breach of the security of the system” from mere “acquisition” of computerized data to now include “unauthorized access” to Private Information. In determining whether information has been accessed by an unauthorized person, a business should consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization.
Adopts a risk of harm threshold for notification to individuals. SHIELD establishes that notification to individuals is not required if the data exposure was inadvertent, and the business determines that misuse of such information, or financial or emotional harm to the affected individuals, is unlikely. That determination, however, must be documented in writing, and the business must notify the determination to the Attorney General within 10 days of making the decision.
Establishes obligations to maintain reasonable security safeguards for private information. SHIELD also imposes obligations to maintain “reasonable security safeguards to protect the security, confidentiality and integrity of private information. By “reasonable security,” SHIELD requires businesses to develop, implement, and maintain “reasonable safeguards to protect the security, confidentiality, and integrity” of Private Information, including data disposal. With the exception of certain entities (e.g., those subject to federal financial or health authorities), businesses are deemed compliant with SHIELD’s “reasonable security requirement” when the following administrative, technical, and physical safeguards have been put in place:
(1) designates one or more employees to coordinate the security program
(2) identifies reasonably foreseeable internal and external risks
(3) assesses the sufficiency of safeguards in place to control the identified risks
(4) trains and manages employees in the security program practices and procedures
(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract
(6) adjusts the security program in light of business changes or new circumstances
(1) assesses risks in network and software design
(2) assesses risks in information processing, transmission, and storage
(3) detects, prevents and responds to attacks or system failures;
(4) regularly tests and monitors the effectiveness of key controls, systems and procedures
(1) assesses risks of information storage and disposal
(2) detects, prevents, and responds to intrusions
(3) protects against unauthorized access to or use of Private Information during or after the collection, transportation and destruction or disposal of the information
(4) disposes of Private Information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
SHIELD is expected to become effective shortly after the governor signs it into law. Companies failing to comply with the enhanced obligations set out in SHIELD could face penalties of up to USD 5,000 per violation or USD 250,000 in total.
If you have any questions about this legislative development or any other privacy law, please do not hesitate to reach out to one of the Contact Partners listed below.
Contributor: Nidhi Narielwala