In 2019, New York's state legislature did not pass the NYPA: the New York Privacy Act. For the moment, there is no state law governing privacy, although the NYPA may be part of the 2020 legislative agenda. However, the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) was signed into law by the Governor.
SHIELD modified New York's data breach notification law and the state technology law (N.Y. General Business Law (GBL) §899-aa and N.Y. State Technology Law (STT) §208). The STT governs the obligations of state agencies if there is a data breach; the GBL relates to everyone else. SHIELD also imposes new data security obligations. SHIELD is effective as of March 21, 2020.
Who is covered by SHIELD?
Any person or business which owns, licenses or is a custodian of electronic (not paper) records which include private information of New York residents is subject to the SHIELD Act. The "Shield" covers anyone that possesses information about New Yorkers, no matter where that person or business may be located; conducting business in New York is not required. This extra-territorial approach isn't unique to New York: the new California Consumer Privacy Act and the European General Data Protection Regulation are extra-territorial too.
What is private information?
Private information is defined as personal information (PI) and a data element (DE) when either the data element or the PI/DE combination is not encrypted, or, if encrypted, the "hack" included access to the encryption key. Personal information is defined very broadly: it means "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person." There is a laundry list of data elements:
- social security number
- driver's license number or non-driver ID
- financial account information: credit, debit or bank account number
- biometric information (fingerprint, voice print, retina/iris images or any other unique physical or digital way of finding out a person's identity)
Private information also encompasses a username or email address in combination with a password or security Q/A, which would allow access to an online account. Excluded is public information that is lawfully made available via federal, state or local government records.
What data breaches require notification?
The SHIELD Act is focused on unauthorized access to or acquisition of New Yorker's electronic records which "compromises the security, confidentiality, or integrity of private information maintained by a business." While there is no formal risk assessment procedure in determining if the PI was accessed or "reasonably believed to have been accessed by an unauthorized person," a business may consider if any of these events occurred: theft of a computer or other device, downloaded or copied records, identify theft or the existence of fraudulent accounts and any "indications that the information was viewed, communicated with, used, or altered without valid authorization." If the PI was viewed, etc., but not taken, the notification obligations still apply. The disclosure of the "hack" to the New Yorkers whose PI was breached must occur "in the most expedient time possible and without unreasonable delay." New York has a standard notification form.
Duplicate notices do not have to be sent if the PI hacked was financial information subject to the Graham-Leach-Bliley Act or New York's rules for financial service companies, HIPAA and HITECH or any other federal or New York agency data security statutes, rules or regulations. However, in "duplication" situations, the breach must be reported to the State Attorney General, Department of State, State Police and consumer reporting agencies. In standard breach cases, the business must notify the Attorney General, the State Police and the Division of Consumer Protection along with a copy of the actual notice sent.
Do custodians have the same notification obligations?
No. If the business isn't an owner of the PI, then its obligation is to notify the owner or licensee immediately following discovery if the business knows or reasonably believes that a hack occurred.
What if the disclosure was inadvertent?
If an authorized person inadvertently publicly disclosed the private information, the breach is not required to be disclosed if the business reasonably believes that the private information is unlikely to be misused or cause emotional or financial harm to the individuals whose PI was disclosed. Records of the determination must be kept for five years, and if more than 500 New Yorkers were affected, the business has 10 days to provide the determination to New York's Attorney General.
How must the notice be sent?
If the individual consented to electronic notice, the form may be emailed if the business keeps records of each email. The form may also be sent via regular mail. The business may call the individual if it keeps records of each call. If the breach was massive (more than 500,000 persons affected, notice costs would exceed $250,000) or there is insufficient contact information, the business may ask the Attorney General for permission to do all of the following: email if the addresses are available, posting the notice on the business's webpage and notice using statewide media. But, if the email address, password or security Q/A were breached, the business should not send email to the hacked account.
Is there a private right of action?
No, the affected individual cannot sue the business that has been hacked. The Attorney General may bring an action for an injunction and, if notice was not provided, for damages and actual costs or losses incurred by a person entitled to notice. An additional civil penalty may be imposed by the court if it holds that the violation was "knowing or reckless." The penalty is the greater of $5,000 or up to $20 per instance of failed notification, not to exceed $250,000. Any business that fails to implement the below security protocols is also subject to action by the Attorney General.
What are the new security protocols?
Implement a Data Security Program, which:
1. designates one or more employees to coordinate the security program;
2. identifies reasonably foreseeable internal and external risks;
3. assesses the sufficiency of safeguards in place to control the identified risks;
4. trains and manages employees in the security program practices and procedures;
5. selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
6. adjusts the security program in light of business changes or new circumstances.
Technical Safeguards, which:
1. assess risks in network and software design;
2. assess risks in information processing, transmission and storage;
3. detect, prevent and respond to attacks or system failures; and
4. regularly tests and monitors the effectiveness of key controls, systems and procedures.
Physical Safeguards, which:
1. assess the risks of information storage and disposal;
2. detect, prevent and respond to intrusions;
3. protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
4. disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
A small business (fewer than 50 employees, less than $3 million dollars in gross annual revenues for the last three years or less than $5 million dollars in total assets) complies if "the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers." Businesses who are subject to and already in compliance with GLB, HIPAA/HITECH or New York's rules for financial service companies, or any other federal or New York agency data security statutes, rules or regulations are considered to be compliant with these SHIELD Act provisions.
Given the new security protocols and notification requirements, what are the next steps for a business which possesses PI of New York residents? First, conduct a self-assessment of the businesses' existing security protocols and inventory the PI collected, stored, used and disclosed so that New York residents are easily identified. Second, compare what protocols exist with the SHIELD protocols and implement the new protocols in an internal written information security policy, which incorporates the notification obligations. Third, consult with legal and IT professionals to confirm compliance, and lastly, communicate with internal personnel about their responsibilities.