For Marvel Entertainment fans, this one’s for you: Step aside Nick Fury, New York has a new SHIELD. New York state recently passed a new law extending protections against cyber-attacks for its residents with NY Senate Bill S5575B, also known as the “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, for short. This Act expands New York’s data breach notification statute in definition, notice, scope, and compliance requirements of any individual or business handling New York residents’ computerized private information.
The SHIELD Act first redefines “private information” to include username or e-mail address in combination with a password or security question and answer for online accounts as well as biometric information. It also allows for reporting a breach if an account or credit card number alone (i.e. without an account access code or password) is compromised “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.” Slightly more nuanced, it expands the definition of “breach of security of the system” to include an unauthorized access of private information as well as an unauthorized acquisition. Addition of “access” means the statute will be triggered without an incident having to reach “acquisition,” a term more readily applicable in scenarios impacting control, possession and use of that private information.
Notice provisions are also expanded under the SHIELD Act to include a harm assessment evaluation seen in other states’ notification determination process. Simply put, inadvertent disclosure of private information by authorized persons won’t require notice, provided the organization reasonably determines that such disclosure won’t likely result in misuse of that information or financial harm (or emotional harm in certain specific situations). Procedural elements must be followed including putting such determination and rationale in writing and retaining for five years. For an incident impacting over five hundred residents, the Attorney General must be provided that determination.
The SHIELD Act also expands scope of the breach notification statute and now has international implications as it covers any person or business that “owns or licenses” any such “private information” belonging to residents of New York, regardless of location. Whether you run a bodega in the Bronx or a tech start-up in Wakanda (another Marvel reference!), if you possess private information about a New York resident, you are within scope of SHIELD enforcement.
The last part of SHIELD’s expansion involves compliance. Specifically, it creates a new Section 899-bb that requires all organizations to have substantive data protections in place to protect “private information” through implementation of a data security program. The data security program must include reasonable administrative, technical, and physical safeguards to protect private information. Section 899-bb identifies specific criteria that each of the safeguard pillars may contain in order to be compliant, such as appointing an employee to coordinate the program (administrative); network risk assessments (technical); and intrusion detection (physical). It also accounts for scalability for data protection programs for small businesses. For this seemingly sweeping mandate under Section 899-bb, there is a saving grace. If a business is already compliant with GLBA, HIPAA Part 500 or any other federal or New York state data security rules, regulations, or statutes, Section 899-bb does not apply. Absent application of this exception though, a failure to comply with 899-bb can lead to injunctive relief or the award of damages for actual costs or losses (including consequential financial losses) to a person entitled to notice. A knowing or reckless violation of the Article could lead to a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, with an upper limit of $250,000 in penalty. The SHIELD Act also enhances the time period to bring an enforcement action from two to three years. Finally, the SHIELD Act leaves open the possibility that even without an incident of breach, the AG could seek to impose penalties for failure to comply with the 899-bb safeguard requirements.
Given the complexity and the nature of the amendments the SHIELD Act provides, organizations are well advised to pay close attention to their responsibilities to adopt reasonable security measures to protect New York residents’ private information, as well as to provide notice in the unfortunate event of data breach. The SHIELD Act breach notification amendments are effective on October 23, 2019, while the data security requirements are effective on March 21, 2020. This gives a grace period for businesses to get into compliance; a task made far easier with coordination and consultation with breach notification legal professionals.