New York Expands Data Privacy Protections

Dorsey & Whitney LLP

Dorsey & Whitney LLP

New York continued its active legislative session last week, this time by expanding its data breach notification law.  The SHIELD Act (Stop Hacks and Improve Electronic Data Security), signed by Governor Andrew Cuomo on July 25, 2019, notably expands the definition of a data breach and the scope of what constitutes personal information.  But the law could have gone farther; the state did not enact a private right of action, as has California, and which several other states are considering.  New York’s action does, however, contain several other very significant provisions in the context of data breaches involving New York residents.

Here are the major elements of the SHIELD Act:

  • Expanded Definition of What Constitutes a Data Breach:  New York expanded its definition of a data breach (a “breach of the security of the system”) to include instances when an attacker merely views (“accesses”) personal information, even if the attacker does not download, steal, or otherwise acquire that information, commonly labeled as ‘exfiltration.’  Under the expanded definition, any unauthorized “access” requires the company to provide notice of the data breach.
  • Expanded Definition of Personal Information:  New York also expanded its definition of personal information (“private information,” in the Act’s terms), to include two new categories:  (1) biometric information, such as a fingerprint or “voice print”; and (2) an email address or user name, in combination with the corresponding password or a security question and answer.  The law also requires a company to provide notice when an attacker accesses information protected under HIPAA, just as if that information were “private information” under New York’s definition.
  • Global Reach:  The law applies to every company holding the personal information of a New York consumer, regardless of where the company is based.  As with GDPR and soon to be California’s Consumer Privacy Act, the enforceability of this extraterritorial reach remains open to question.
  • Increased Damages:  The new law increases the maximum penalty for failure to provide notice from $150,000 to $250,000, and authorizes a statutory penalty for the greater of $5,000 or $20 per instance of failed notification.  The law also authorizes courts to award actual damages to consumers.
  • Enforcement:  The law will be enforced by the Attorney General’s Office, and takes effect in 90 days, i.e., late October.
  • Ramp Up to Improved Cybersecurity Programs:  The law also requires companies to improve their cybersecurity programs by March 2020.  The law specifies a number “administrative, technical and physical safeguards” that each company must implement by that date, and requires each company to appoint an employee to manage the cybersecurity program.  The law makes an exception for a “small business,” defined as a company with either: (1) fewer than fifty employees; (2) less than $3 million in gross annual revenue for the last three years; or (3) less than $5 million in year-end total assets.  Small business are still required to maintain “reasonable” safeguards.

Increased Requirements for Consumer Credit Reporting Agencies:  That same day, Governor Cuomo also signed a bill that addresses consumer credit reporting agencies, a direct response to the Equifax breach of 2017.  The new law requires consumer credit reporting agencies to provide identity theft prevention and mitigation services to consumers who are affected by a security breach at a credit reporting agency.  The agency must provide those protections to an affected consumer for five years, and cannot charge the consumer fees during security freezes on credit reports.

What’s Next
In the absence of any overarching federal breach notification or consumer privacy law, states are expected to continue to adopt initiatives that require companies to protect consumers’ personal information.  Whether it be an expanded definition of personal information, greater statutory damages, or allowing private rights of action, individual states can be expected to keep pace with, or in some instances outpace, developments in other states.  The challenges of this emerging ‘patchwork quilt’ of regulations may be significant, but compliance always starts with robust information governance policies and procedures.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.