New York State recently passed into law the “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act.
Under New York’s existing 2005 Breach Notification Act, any person or business that conducts business in New York state and owns or licenses computerized data that includes “private information” of a New York resident is a covered entity subject to notification requirements in the event of a breach. “Private information” was defined as personal information (i.e., information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such person) in combination with a unique identifier like a Social Security Number or some other account number and/or system access credentials.
The SHIELD Act makes several significant changes to this earlier law. SHIELD expands the categories of information in the definition of “private information” to include:
- Account number, credit or debit card number, if circumstances exist wherein such number(s) could be used to access an individual’s financial account without any additional identifying information, security code, access code or password;
- Biometric information data generated from electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity; or
- Username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Further, SHIELD now covers entities that maintain private information of New York residents, regardless of whether or not such entities actually conduct business within New York.
SHIELD also expands the definition of a “data breach” to include not only the unauthorized acquisition of private information, but also instances of mere unauthorized access.
Apart from these expansions in businesses’ obligations in the event of an occurrence, SHIELD further requires covered entities to affirmatively implement “reasonable safeguards,” taking into account administrative, technical and physical safeguards such as training, risk assessments, regular testing of key controls and procedures, and the disposal of private information within a reasonable amount of time after it is no longer needed.
SHIELD also increases possible fines for violations of the notification requirements to an amount “not to exceed” $250,000.
Finally, SHIELD also requires the implementation of “reasonable safeguards.” Notably, the imposition of the “reasonable safeguards” requirement brings the new law closer to New York’s 2017 Department of Financial Services’ Cybersecurity Regulation, which prescribes holistic security measures applicable to a broad swath of financial services companies operating under New York’s Banking, Insurance and Financial Services Laws.
While the SHIELD Act does not specify the means and methods constituting required safeguards – it provides examples of “reasonable” measures – given the Act’s expanded definition of “private information,” many of New York’s small and medium-sized businesses in industries unaccustomed to the regulations applicable to the financial sector will now be required to proactively address their security measures and implement policies and procedures, including risk assessments, to protect sensitive information, systems, equipment, and facilities from unauthorized access.
Failure to follow FTC guidance often leads to enforcement proceedings followed by burdensome consent decrees. Companies have become involved in FTC investigations following data breaches as a result of, among other things, failure to conform to privacy policies which stated that “your information is completely secure with us” or referred to use of state of the art security when actual practices were antiquated.
With the passage of SHIELD, New York joins California and other jurisdictions that have recently expanded privacy laws to expect more of their corporate citizens in protecting the sensitive data of the residents of those states. The New York and California laws address different, but equally important, aspects of the issue. While California has its own security requirements, its widely publicized, soon-to-be-effective California Consumer Privacy Act (“CCPA”) goes far beyond requirements for reducing the risk of unauthorized access to sensitive data and prescribing breach notice procedures. In contrast, CCPA strictly regulates data collection and usage, particularly “selling” of data, by those authorized to obtain it. In such regard, CCPA is more akin to the EU’s General Data Protection Regulation (“GDPR”). Critically, unlike the SHIELD Act, the CCPA is applicable absent any data breach.
While there are some differences, those who are in compliance with the GDPR and/or CCPA will find compliance with the SHIELD law to require relatively little additional effort.
The FisherBroyles Cyber; Privacy & Data Security practice group is pleased to assist your company with these issues. For any questions about corporate privacy, cyber liability, or other legal issues, please contact our team.