New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security” Act) is an amendment to New York’s data breach notification law. It took effect on October 23, 2019, but its data security provisions, codified in N.Y. Gen. Bus. Law § 899-bb, only took effect on March 21, 2020.
First let’s have a look at the provisions which took effect in 2019.
The Act greatly expanded the territorial scope of New York data breach law as it no longer covers only a person or company conducting business in New York state. If the breach affects a New York resident, then the law applies.
The definition of “private information” is expanded to include an account number, credit or debit card number, if they can be used to access an individual’s financial account without additional identifying information, security code, access code, or password. It also now includes a username or e-mail address combined with a password or security question and answer allowing to access an online account.
“Private information” now includes biometric information, which is defined as “data generated by electronic measurements of an individual’s unique physical characteristics.”
They are:
- a fingerprint,
- a voice print,
- a retina or iris image,
- any other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.
What is a security breach?
The definition of a security breach was expanded to include unauthorized access to computerized data that compromises the security, confidentiality, or integrity of private information retained by a company. Before the Shield Act, the law only covered unauthorized acquisition of personal data maintained by a business.
The SHIELD Act specifies that a company may consider several factors to determine whether information has been accessed or is reasonably believed to have been accessed without authorization, among them indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.
The notice of the breach
The notice cannot be provided to the affected person by email If the breached information includes an e-mail address in combination with a password or security question and answer allowing access to a online account.
In that case, a clear and conspicuous notice must be “delivered to the consumer online when the consumer is connected to the online account from an internet protocol address or from an online location which the person or business knows the consumer customarily uses to access the online account.”
The notice must now include:
- the telephone numbers and websites of the relevant state and federal agencies providing information regarding security breach, response and identity theft prevention and protection information.
If the individual or company is required to provide notice of the breach under the Gramm-Leach-Bliley Act (GLBA) , the Health Insurance Portability and Accountability Act (HIPAA), or to the New York Department of Financial Services, an additional notice to the affected individuals is not required, but must still be provided to the New York Attorney General, the department of State, the division of State Police, as well as to the consumer reporting agencies (CRAs).
A HIPAA covered entity must report a breach to the New York Attorney General if the notification of the data breach to the Secretary of Health and Human Series is required by HIPAA, even if the breach includes breach of information which is not “private information.”
If the breach affects any New York residents, the person or business must provide a copy of the template of the notice to the state attorney general, the department of state and the division of state police, and this notice must not delay sending the notice to the affected persons.
It is not required, however, to notify an affected person of a breach if:
- the persons authorized to access the private information inadvertently disclosed it and
- the person or business reasonably determined that misuse of the information will not likely occur, or
- financial harm to the affected persons will not likely occur or
- emotional harm will not likely occur, if a username or e-mail address in combination with a password or security question and answer that would permit access to an online account was disclosed.
Such a determination must be documented in writing and maintained for at least five years. If the incident affects over 500 New York residents, the person or business must provide the written determination to the state attorney general within ten days after the determination.
In practice, this means that a written document must be created to explain why it has been decided not to notify affected individuals of a breach. This document must be written with the utmost care, and should explain the circumstances of the breach, how it was discovered, what information had been breached how the risk was assessed and why the decision not to report the breach has been taken.
The SHIELD Act does not provide a private right of action, but the remedies provided are “in addition to any other lawful remedy available.” The penalties for failure to notify increased, however, from ten to twenty dollars per instance of failed notification.
The statute of limitations is expanded from 2 to 3 years from the date the attorney general became aware of the violation or the date the notice was sent.
The Data Security Provisions of NY SHIELD ACT, which took effect on March 21, 2020
Any person or business which owns or licenses computerized data which includes private information of a New York resident must develop, implement, and maintain a data security program.
In order to be compliant with the NY Shield Act, such a person or business must put in place administrative, technical, and physical safeguards.
A small business, which is defined as one having less than 50 employees, less than 3 million dollars in gross annual revenue in each of the last 3 fiscal years or less than 5 million dollars in year-end total assets is not exempt from this requirement. However, it is sufficient that the security program contains reasonable administrative, technical and physical safeguards which are “appropriate for [its] size and complexity.”
The administrative safeguards include:
- Designating one or more employees to coordinate the security program
- Identifying reasonably foreseeable internal and external risks
- Assessing whether sufficient safeguards have been put in place
- Training and managings employees in the security program practices and procedures
- Selecting service providers which can maintain appropriate safeguards, and requiring those safeguards by contract
The technical safeguards include:
- Assessing risks in network and software design
- Assessing risks in information processing, transmission, and storage
- Detecting, preventing, and responding to attacks or systems failures
- Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
The physical safeguards include:
- Assessing risks of information storage and disposal
- Detecting, preventing, and responding to intrusions
- Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic documents in such a way that the information can no longer be read or reconstructed