On July 25, 2019, the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) was signed into law by New York Governor Andrew Cuomo. The SHIELD Act aims to ensure that New York residents are afforded greater protections against cybersecurity breaches from companies with which they do business. The SHIELD Act takes effect on March 21, 2020 and imposes key changes to New York’s cybersecurity and data breach notification laws.
Scope of the SHIELD Act
The SHIELD Act provides strong safeguards to protect against identity theft and data breaches for all New York Residents. Not only will all New York businesses be required to comply with the SHIELD Act, but the SHIELD Act has far-reaching effects because it applies to out of state businesses that maintain the private information of New York residents. Any business or employer holding a New York resident’s private information must understand the new changes to New York’s data security laws, they must be aware of what personal and private information is protected under the SHIELD Act, and they must know what steps employers need to take to be deemed in compliance with the SHIELD Act’s safeguards.
Expanded Definition of “Private Information” and “Breach”
The SHIELD Act expands the definition of “private information” and sets forth specific personal information that, if breached, could trigger a notification requirement. “Private information” that is to be protected by the data breach law includes the following: Social Security number; credit, debit or account card number, in combination with any required access or security code, password, other security questions and answers; driver’s license number or non-driver identification card number; username or e-mail address with a password that permits access to an online account; and biometric information, meaning any data that is used to authenticate an individual’s identity by electronic measurements of the individual’s unique physical characteristics, including a fingerprint, retina or iris image, or a voiceprint.
The SHIELD Act also amends the definition of a “breach of the security of the system” by providing that a “breach” includes incidents where private information was accessed, regardless of whether that private information was acquired. Under New York’s current data breach laws, a breach occurs only when there was acquisition of the private information and excludes incidents involving mere access. Employers should note that the SHEILD Act does include the “good faith employee” exception to the definition of “breach.” When an employee, in good faith, accesses or acquires private information in conjunction with the purposes of the business and the private information is not subject to an unauthorized disclosure, the access or acquisition of the private information will not be considered a “breach.”
Requirements for Employers Under the SHIELD Act
While the SHIELD Act does not impose a specific list of safeguards that businesses and employers must comply with, the SHIELD Act does provide that a business that licenses or owns computerized data that includes a New York resident’s private information will be in compliance with the law if it develops, implements, and maintains reasonable safeguards to protect the security, confidentiality and integrity of maintaining and disposing of private information. The following include some of the key reasonable safeguards that employers should implement to adhere to the law:
Designate one or more employees to coordinate the security program;
Identify reasonably foreseeable internal and external risks;
Assess the sufficiency of safeguards in place to control the identified risks;
Provide training and oversight for employees involved in the security program practices and procedures; and
Provide training to employees involved in the security program on the disposal of private information, after it is no longer needed for business purposes, by erasing electronic media, so that the private information cannot be reconstructed or read.
The SHIELD Act’s list of reasonable safeguards highlights the important role that a company’s human resources professionals and senior management must fulfill to comply with the new law. A company’s human resources professionals and senior management should provide the required training of employees to implement the security program. Further, they will be able to provide critical assistance to investigations of a data breach to determine whether the disclosure of an employee’s private information was inadvertent and, if so, whether it is likely that the private information will be misused.
Employers should note that two types of businesses may satisfy the reasonable safeguards requirement without having to implement a data security program as described above. First, a business will be deemed compliant with the SHIELD Act if the business is in compliance with other laws requiring information security, such as the health Insurance Portability and Accountability Act Security Rule (“HIPPA”), the Gramm-Leach-Bliley Act (“GLBA”), or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies. Second, a small business, meaning a business employing fewer than 50 employees and earning less than $3 million in gross annual revenue or earning less than $5 million in year-end total assets, is only required to ensure that their data security safeguards are appropriate when taking into consideration the size and complexity of the small business, the nature of the scope of the small business’s activities, and the sensitivity of the personal information collected from or about the small business employees.
The SHIELD Act also amends New York’s current existing data breach notification requirements, will take effect on October 23, 2019. Since a “breach” will now consist of an unauthorized access to private information, regardless of whether any private information is acquired, an inadvertent disclosure of private information that is not likely to result in the misuse of information only requires the employer: (1) document its determination that the inadvertent disclosure is not likely to result in misuse; and (2) retain that documentation for a period of 5 years. If the inadvertent disclosure involved private information of more than 50 New York residents, the employer must submit its documentation to the New York State Attorney General within 10 days of the employer’s determination.
Employers should also be aware that if their business is required to provide notice of a data breach under another regulatory scheme such as HIPPA or the GBLA, the SHIELD Act only requires that the New York State Attorney General, the New York Department of State, and the New York State Office of Information Technology Services be notified as to the timing, content and distribution of the notices of the breach and the approximate number of affected persons, and must provide a copy of the template of the notice sent to the affected persons.
Violations of the SHIELD Act
Although New York residents are not provided with a private right of action or the right to litigate a violation by a class action, the SHIELD Act does permit the Attorney General to bring an action against a business for violations of the law and may recover civil penalties. Courts may award damages for actual costs or losses incurred by a person entitled to notice for data breach notification violations that are not reckless or knowing. Courts may impose the greater of $5,000 or up to $20 per instances, with a cap of $250,000 for knowing and reckless violations. Employers must also note they may incur penalties of up to $5,000 per violation for failure to comply with the reasonable safeguard requirements.