On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act into law making New York the latest state to expand protections for its residents.
The SHIELD Act alters the existing data breach law by expanding the definitions of “breach” and “private information.” “Breach” was formerly defined as an unauthorized acquisition of private information. Now, unauthorized access to a system that compromises the security, confidentiality, or integrity of private information maintained by a business is considered a breach. When making the determination as to whether private information was accessed, businesses may consider indications that the information was viewed, used, or altered by a person without valid authorization or by an unauthorized person. The definition of “private information” has been expanded to include account and credit or debit card numbers without the PIN or password if the exposure would likely result in financial harm without that additional information. Biometric information, and a user name or email address in combination with a password or security question and answer has also been added to the definition. The SHIELD Act applies to business entities only.
The SHIELD Act also requires “covered entities” as defined and applicable under the Health Insurance and Portability and Accountability Act (“HIPAA”) to provide notification to the New York Attorney General of a breach that requires notice to the Secretary of the Department of Health and Human Services (“HHS”) no later than five days after the reporting is made to HHS. Notification is required regardless of whether the breach qualifies as “private information” as defined in the statute.
New York also added a risk of harm analysis to its data breach law, as many other states have already done. When exposure is unlikely to result in misuse of such information or financial harm, organizations are not required to notify individuals. A risk assessment documenting the conclusion must be maintained for 5 years. If the incident affects 500 or more New York residents, the analysis must be provided to the Attorney General within 10 days.
All of the aforementioned changes take effect on October 23, 2019, which is 90 days after the amendments were signed into law.
Significant Changes
The most significant SHIELD element is the reasonable security requirement, mandating owners and licensees of New York residents’ private information to develop, implement, and maintain “reasonable safeguards” to protect private information. HIPAA, Health Information Technology for Economic and Clinical Health (“HITECH”), and Gramm-Leach-Bliley Act compliant organizations are considered compliant with this reasonable security requirement. Organizations can be brought into compliance by implementing a data security program that includes administrative, technical, and physical safeguards. The legislation enumerates qualifying reasonable safeguards within each grouping. For applicable businesses, excluding “small businesses”, the safeguards will likely require significant resources and time to properly implement. Accordingly, the compliance date for this requirement is March 21, 2020, 240 days after the legislation was signed into law.
Lessons Learned and Trends
As new legislation shifts focus from reactive to a proactive approach, companies should anticipate similar legislation in other states. These laws place a heavier burden on a business to adequately protect the information within their control prior to a breach. Each year, states continue to amend their data protection laws in an effort to evolve with the ever changing information security landscape. Conversely, as threat actors mature their processes, the corresponding laws must change to match emerging threats.
Companies that own and license New York residents’ private information should review their current data security program to ensure their infrastructure and controls meet the requirements enumerated in SHIELD.
