In July 2019, New York Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which amended New York’s data breach notification law to broaden notification obligations and impose new data security requirements on companies to secure private information. The breach notification provisions took effect in October 2019; the heightened data security requirements take effect on March 21, 2020.

This is not the first data security law enacted in New York. Nearly three years ago, New York adopted the New York Department of Financial Services (NYDFS) Cybersecurity Regulations, which established heightened security requirements for covered financial entities. However, unlike the NYDFS Cybersecurity Regulations, the SHIELD Act broadly covers all businesses that store information of New York residents, regardless of industry.

Summary of SHIELD Act

The SHIELD Act significantly expanded the scope of New York’s data security law through a number of key changes:

• heightened the data security requirements that must be adopted

• broadened what constitutes a “breach” to include unauthorized access, instead of just the unauthorized acquisition of computerized data

• broadened notice requirements, including requiring notice to the New York Attorney General of breaches involving entities that are regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Security Requirements Needed by March 21, 2020

The SHIELD Act requires businesses to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information,¹ the definition of which has been expanded under the SHIELD Act. Entities that are subject to, and in compliance with, laws like HIPAA, Gramm-Leach-Bliley, or the NYDFS Cybersecurity Regulations, are deemed to be compliant with SHIELD Act requirements. All other businesses must implement a data security program that includes reasonable administrative, physical and technical safeguards, such as the safeguards set out below, unless the business qualifies as a “small business.”² GBL § 899-bb(2)(b)(ii)(a)-(c).

Reasonable Administrative Safeguards

• designate an employee who coordinates the security program

• perform assessments that identify reasonably foreseeable external and internal risks

• assess the sufficiency of safeguards in place to control identified risks

• provide reasonable training and management of employees in the security program practices and procedures

• establish procedures to select service providers capable of maintaining appropriate safeguards, and require that the service providers implement those safeguards by contract

• ensure procedures adjust to reflect business changes and new circumstances.

Reasonable Technical Safeguards

• assess risks in network and software design

• assess risks in information processing, transmission and storage

• detect, prevent and respond to attacks or system failures

• regularly test and monitor the effectiveness of key controls, systems and procedures.

Reasonable Physical Safeguards

• assess risks of information storage and disposal

• detect, prevent and respond to intrusions

• protect against unauthorized access to, or use of, private information during or after the collection, transportation and destruction or disposal of the information

• properly delete private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Small businesses are not exempt from the SHIELD Act, but they are not held to the prescriptive standards for safeguards with respect to what constitutes a reasonable security program. Instead, a small business must have reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected. GBL § 899-bb(2)(c).

While the SHIELD Act does not create a private right of action (GBL § 899-bb(2)(e)), the Act makes any violation of the data security requirements a violation of GBL § 349, which prohibits deceptive acts and practices in the conduct of any business. These violations are enforceable by the New York Attorney General, with civil penalties of $5,000 per violation. GBL § 350-d.

Current Breach Notification Requirements

The breach notification requirement is triggered by a breach of “private information.” Private information is defined as personal information in combination with any one or more enumerated data elements that are not encrypted, or were encrypted with an encryption key but where the key was accessed or acquired. Moreover, what constitutes a breach under New York law was expanded by the SHIELD Act.

As amended, a breach occurs when there is unauthorized access or unauthorized acquisition of computerized private information. By enlarging the law’s scope to include “access,” triggering events that require notice to both the individuals affected and the New York Attorney General potentially include instances where an unauthorized actor only viewed private information.

Additionally, it is important to note that an entity subject to the HIPPA/HITECH 60-day notification requirement must also provide such notification to the New York Attorney General within five business days of making the HIPPA disclosure. GBL § 899-bb(9).

Key Points

With the effective date of the SHIELD Act’s security requirements looming, businesses should:

• Assess their current safeguards for compliance with the SHIELD Act’s data security program requirements.

• Assess vendor relationships and vendor contracting practices to ensure contracts require that vendors maintain appropriate safeguards.

• Comply with the SHIELD Act’s expanded data breach notification obligations, including with respect to entities subject to HIPAA, which must notify the New York Attorney General of any data breach affecting New York residents within five business days of notifying the U.S. Department of Health and Human Services.

• Keep in mind the expanded legal requirements when electing to use New York governing law in contracts. In particular, businesses may find that New York’s heightened obligation with respect to security safeguards exceeds their own state’s security requirements.

Endnotes

¹ “Private information” shall mean either: (i) personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired: (1) Social Security number; (2) driver’s license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or (ii) a user name or email address in combination with a password or security question and answer that would permit access to an online account. “Personal information” is a defined term and means any information concerning a natural person that, because of name, number, personal mark, or other identifier, can be used to identify such natural person. GBL § 899-aa(1)(a).

[View source.]