New York Expands The Data Security Requirements And Increases The Data Breach Penalties For Entities Holding New Yorkers’ Private Information

Husch Blackwell LLP

Key Point: The SHIELD Act increases the statutory penalties for knowing and reckless violations of the State’s data breach notification law. It also authorizes the NY Attorney General to pursue injunctive relief and monetary penalties against persons and businesses who fail to implement reasonable safeguards to protect New York residents’ private information.

On July 25, 2019, New York Governor Andrew Cuomo signed two bills related to data privacy and identity theft. In our June 24 post, we summarized the contents of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The second signing was the Identity Theft Prevention and Mitigation Services bill. Highlights of the laws’ requirements and effective dates are described below.

The SHIELD Act expands the categories of data that constitute private information, and it expands the definition of a data breach to include unauthorized access to computerized data. The law also spells out the procedures and documentation a covered entity must complete when a good-faith determination is made that a data breach did not occur.

The penalties for knowingly or recklessly violating the data breach notification requirements were increased to $20 per instance, with a maximum cap of $250,000.00.

The provisions above go into effect on Thursday, October 24, 2019.

The provision in the SHIELD Act that has garnered public attention is the requirement for reasonable security measures. The SHIELD Act adds General Business Law § 899-bb, which requires persons and businesses that own or license computerized private information of New York residents to “develop, implement and maintain reasonable safeguards to protect security, confidentiality and integrity of that private information, including the proper disposal of such data.” These safeguards must take into account administrative, technical and physical measures to protect the information.

Of note, the standard for evaluating whether the safeguards adopted by statutorily defined small businesses are compliant is whether the safeguards are “appropriate for the size and complexity of the small business, and the sensitivity of the personal information” collected.

Section 899-bb will go into effect on or about Sunday, March 22, 2020.

Governor Cuomo also signed the Identity Theft Prevention and Mitigation Services bill, which amends General Business Law § 380-t and lays out the minimum requirements for long-term protections to New York residents who have been affected by a data breach at a credit reporting agency.  This bill incorporates by reference the same definition of a data breach revised by the SHIELD Act.

The Identity Theft legislation goes into effect on Monday, September 23, 2019.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.