The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws.  Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.

We previously looked at the SHIELD Act’s original draft, including a two-part series on its key provisions.  But the version passed by both houses of the legislature varies from the original.  Some of the key modifications include the following:

• In contrast to the original draft, notification of a breach is not required if the exposure of data was “inadvertent” by someone “authorized to access” the information, and the covered entity makes a reasonable determination that exposure of the data will not result in any harm.  While this will likely take some degree of pressure off businesses dealing with lower-risk data exposures, it will also require decision-makers to carefully consider the circumstances of apparent “inadvertent” breaches, assess the likelihood of resulting harm, and fully document any decision that notice is not required.
• In the event of a breach, if affected persons are notified pursuant to the Gramm-Leach-Bliley Act, HIPAA or the HITECH Act, the NY Department of Financial Services Cybersecurity Regulation, or “any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government,” the SHIELD Act does not require additional notice to affected persons, but still mandates notice to the NY Attorney General, the NY Department of State, and the NY State Police.
• With respect to enforcement actions for non-compliance that can be brought by the Attorney General, while an action still must be brought within three years of the date the Attorney General first becomes aware of the violation or the date the notice was sent, whichever occurs first (the same as the limitations period from the original draft), the newly passed bill adds an additional limitation that precludes the Attorney General from bringing a claim more than six years from the date of discovery of the breach “unless the company took steps to hide the breach.”  Notably, businesses can continue to take some comfort in the fact that the SHIELD Act does not create a private right of action.
• Any covered entity required to provide notification of a breach to the “secretary of health and human services pursuant to [HIPAA] or the [HITECH] Act” must also notify the Attorney General within five business days of notifying the secretary of HHS—even if the breach does not contain “private information” as defined by the SHIELD Act itself.
• The original legislation contained a “safe harbor” provision, which provided a covered entity with protection from Attorney General enforcement actions if the entity had taken steps to certify its compliance with the Act’s “reasonable safeguards” requirement with an authorized independent third-party.  The version passed by the Senate, however, removed the “safe harbor” provision.  While covered entities can still take steps to be deemed “compliant” with the Act’s requirements, those same entities will still be exposed to the threat of enforcement actions in the case of a breach.

As we’ve noted before, in comparison to recent legislation in other states, the SHIELD Act stands out because it covers any person or business that holds the personal information of New York residents; a physical presence or doing business in New York state is not a prerequisite to the statute’s coverage.  This is a departure from—and expansion of—New York’s previous data breach notification law, which only covered persons and businesses “conduct[ing] business in New York state.” 

The SHIELD Act, if signed into law, would join Delaware and Florida in requiring persons and businesses to take “reasonable” measures to protect personal information.  But unlike Delaware’s and Florida’s laws, the SHIELD Act identifies specific steps an entity can take to implement “reasonable safeguards.”  Some of those steps include implementing administrative, technical, and physical safeguards on covered data, such as the following: (1) designating a person, or persons, to coordinate an organization’s security program, (2) training employees in the security program, (3) regularly testing and monitoring the effectiveness of data controls, systems, and procedures, (4) assessing risks in network and software design, and (5) disposing of private information once it is no longer needed.  Nonetheless, covered entities will need to carefully consider the “reasonable” measures they implement since they will have implications for an organization’s dealings with the Attorney General’s office in the case of a breach, as well as any related civil litigation.  And adding yet another layer of analysis, some covered entities can be deemed “in compliance” with the “reasonable safeguards” requirement if they are both subject to and compliant with Gramm-Leach-Bliley, HIPAA or the HITECH Act, the NY Department of Financial Services Cybersecurity Regulation or “any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government.”

New York continues to be at the forefront of cybersecurity regulation.  Indeed, New York Senator Kevin Thomas, who sponsored the SHIELD Act, recently introduced the New York Privacy Act, legislation that is similar but potentially even more expansive than California’s CCPA.  That bill is currently in committee in Albany.

We’ll continue to report on the SHIELD Act and how it fares on the Governor’s desk.