New York Amends Data Breach Notification Law and Enacts Data Security Protections
On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), making key changes to New York’s data breach notification and cybersecurity laws.
Data Breach Notification Law
Changes to the existing data breach notification law (General Business Law, Article 39-F, Section 899-aa) will be effective October 23, 2019 (90 days after the SHIELD Act became law) and include:
Adding three types of “private information” to be protected by the data breach law: (i) certain account numbers and credit or debit card numbers regardless of whether the PIN or password has been compromised, (ii) biometric information and (iii) user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Expanding the definition of a “breach” to include not just unauthorized “acquisition” of private information, as in current law, but also unauthorized “access” to private information.
Extending the applicability of the data breach law to any “person or business,” whether conducting business in New York or not, that owns or licenses private information of a New York resident.
If a “covered entity” under the Health Insurance Portability and Accountability Act (“HIPAA”) is required to provide notification of a breach to the U.S. Secretary of Health and Human Services (“HHS”), the covered entity must also notify the New York Attorney General of the breach within five business days of notifying HHS. This notification to the New York Attorney General must be made even if the compromised information, for instance medical information, would not have constituted “private information” under New York law.
Requiring that breach notices include the telephone numbers and websites for the relevant New York and federal agencies that provide information regarding security breach response and identity theft prevention information.
Permitting organizations to consider the risk of harm to affected persons when determining whether the organization must notify individuals of certain types of breaches. However, such a determination that notice is not required must be documented in writing, maintained for five years and, if the incident involved over five hundred New York residents, provided to the New York Attorney General.
Data Security Protections
Further, and perhaps more importantly, the SHIELD Act added new “Data Security Protections” to the General Business Law, effective March 21, 2020 (240 days after the SHIELD Act became law), in a far-reaching effort to improve cybersecurity and prevent data breaches in the first place. These new prescriptive standards, called the “reasonable security requirement,” apply to persons or entities that own or license computerized data that include private information of a New York resident. New Section 899-bb of the General Business Law, added by the SHIELD ACT, mandates this “reasonable security requirement” as follows:
Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
These “reasonable safeguards” in turn require any such person or business either (i) to be in compliance with other applicable cybersecurity laws, such as the Gramm-Leach-Bliley Act, HIPAA or the Cybersecurity Requirements for Financial Services Companies promulgated by the New York Department of Financial Services or (ii) to implement a “data security program” that includes reasonable administrative, technical and physical safeguards defined as follows:
(A) reasonable administrative safeguards such as the following, in which the person or business:
designates one or more employees to coordinate the security program;
identifies reasonably foreseeable internal and external risks;
assesses the sufficiency of safeguards in place to control the identified risks;
trains and manages employees in the security program practices and procedures;
selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
adjusts the security program in light of business changes or new circumstances;
(B) reasonable technical safeguards such as the following, in which the person or business:
assesses risks in network and software design;
assesses risks in information processing, transmission and storage;
detects, prevents and responds to attacks or system failures; and
regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) reasonable physical safeguards such as the following, in which the person or business:
assesses risks of information storage and disposal;
detects, prevents and responds to intrusions;
protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
These are far-reaching requirements, and much will depend on how they are interpreted and enforced by the New York Attorney General. While these new legal requirements state that they do not give rise to a private right of action, failure to comply with them would be deemed a violation of Section 349 of the General Business Law (“Deceptive Acts and Practices Unlawful”), and it remains to be seen whether they will be invoked in litigation as supportive of a common law duty of care.
The burden of these requirements is alleviated to some extent for a “small business,” defined as a person or businesses with fewer than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets. The required “data security program” for small business entities meeting these criteria would satisfy the law if the program “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.”
In signing the SHIELD Act into law, Governor Cuomo explained that the purpose of the Act is to provide additional protections for New York residents and their private information as well as to promote stronger cybersecurity by entities in possession of private information about New York residents.
The new data breach notification measures do make New York law more stringent, joining a growing number of states in regulating biometric information and allowing unauthorized “access” to private information to trigger notification requirements.
The mandatory Data Security Protections put New York toward the leading edge of prescriptive cybersecurity measures imposed by state law, presumably building on what New York is viewing as a successful roll-out of similar prescriptive measures by the New York Department of Financial Services in 2017.
While the new Data Security Program now being required in New York may be reminiscent of the Written Information Security Plan that has been required in Massachusetts since 2010, it may also suggest a trend toward further prescriptive regulations by other states. These types of regulations may also persuade Congress and federal regulators to redouble their efforts to bring uniformity and coherence to an ever-changing and fast-developing area of the law.
For companies in New York, or otherwise in possession of the private information of New York residents, there are three takeaways under the New York SHIELD Act for compliance personnel and their legal and forensic advisors:
Whether located in New York or not, companies should take steps to be cognizant of whether the private information of New York residents in computerized form is stored or retained by the organization and whether there is a continuing business need to retain it.
If required, companies should develop and implement a written Data Security Plan that complies with the SHIELD Act.
More broadly, companies can and should integrate their ongoing compliance with New York data breach laws into their overall compliance efforts.
For more information, contact Polsinelli’s team of Privacy and Cybersecurity attorneys.