Passed this summer, the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act introduces new requirements on all businesses that own or license the “private information” of any New York resident.
On July 25, 2019, Governor Andrew M. Cuomo signed the SHIELD Act into law. The Act amends New York’s cybersecurity and breach notification law – expanding the scope of protected information, the geographic reach, and the cybersecurity measures business must take to ensure compliance. The following highlights some of the significant changes to the law:
Expanding the Geographical Scope of New York Law
Beginning today, the Act’s provisions now apply to any owner or licensor of a New York resident’s private information. Previously, only organizations that conducted business in New York were required to adhere to the state’s notification requirements.
“Private Information”
Under the Act, the definition of “private information” has been expanded to include biometric information and a user name or email address “in combination with a password or security question and answer.” Further, an account, credit card or debit card number, even without a security code, access code or password, is considered “private information” if the account could be accessed without such information. The previous law only protected such numbers in conjunction with additional information. This new definition is in line with a growing trend among state legislators in expanding the scope of information companies are expected to protect.
“Reasonable Security Measures”
In addition to expanding the number of organizations covered by the Act, New York state now requires companies to take “reasonable security measures.” While the Act does not mandate any specific actions (nor provide a definition of the phrase), it suggests organizations engage in regular employee training, cybersecurity risk assessments, and the designation of specific employees to oversee cybersecurity. Similar to the amendment to New York’s original breach notification law, certain federal laws (e.g. GLBA, HIPAA) and industry-specific New York state data security and privacy laws would preempt the Act’s data security program requirements.
If the organization is a “small business” (a business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets), the Act provides an exception in requiring cybersecurity measures “appropriate for the size and complexity of the small business” and the type of private information collected. The Act provides no additional guidance as to what actions are considered consistent with this requirement.
Monetary Penalties
Though the Act explicitly bans a private right of action, the Attorney General is empowered to seek civil penalties. For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations of the breach notification provisions, a court may impose penalties of the greater of $5,000 or up to $20 per instance, with a cap of $250,000. If an organization is found to violate the Act’s reasonable security provision, the court may impose penalties of not more than $5,000 per violation.
The Act’s breach notification requirements take effect on October 23, 2019. The data security requirements take effect on March 21, 2020.
