Key Point: If signed by the Governor, the legislation will require entities doing business in New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.
As it closed its session, the New York legislature passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill, which the New York Attorney General’s (“AG”) office strongly supports, is now at the governor’s office for review. New York AG Letitia James stated New York will join the “increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations.”
If Governor Cuomo signs the bill, New York will build upon its existing data breach notification law, and add a new requirement for data custodians in the private and public sectors to adopt reasonable measures to safeguard sensitive data of New York residents.
Major Provisions of the SHIELD Act
Creation of New Data Security Requirements
Arguably the most significant provisions in the law will be the entirely new section imposing data security protections. Specifically, “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
The bill contains a safe-harbor provision for entities that already are subject to, and in compliance with, certain data security requirements, such as GLBA and HIPAA regulated entities.
Entities that are not already covered by such industry-specific regulations must implement a data security program that contains the following administrative, technical and physical safeguards:
Reasonable administrative safeguards such as the following, in which the person or business:
(1) designates one or more employees to coordinate the security program;
(2) identifies reasonably foreseeable internal and external risks;
(3) assesses the sufficiency of safeguards in place to control the identified risks;
(4) trains and manages employees in the security program practices and procedures;
(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(6) adjusts the security program in light of business changes or new circumstances.
Reasonable technical safeguards such as the following, in which the person or business:
(1) assesses risks in network and software design;
(2) assesses risks in information processing, transmission and storage;
(3) detects, prevents and responds to attacks or system failures; and
(4) regularly tests and monitors the effectiveness of key controls, systems and procedures.
Reasonable physical safeguards such as the following, in which the person or business:
(1) assesses risks of information storage and disposal;
(2) detects, prevents and responds to intrusions;
(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The New York AG can bring a civil action, and obtain monetary penalties, against entities that fail to adopt and maintain reasonable safeguards on behalf of New York residents. However, the SHIELD Act does not create a private right of action for individual residents to sue the entity.
If they have not done so already, entities covered by the SHIELD Act should be drafting written information security programs to ensure compliance with the Act’s specific requirements. Entities should ensure that their programs satisfy each of the SHIELD Act’s specific requirements, such as to designating a responsible individual to oversee the program, training employees, identifying risks and mitigation techniques, and properly vetting third-party vendors.
Amendments to Data Breach Notification Requirements
The SHIELD Act would expand the pre-existing data element categories that constitute statutorily defined “private information” by adding (1) credit card numbers that grant access to financial accounts absent any additional identifying information, and (2) biometric information that is used to authenticate individuals’ identity. It also would require that notice be provided if the breach involved a “user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”
Further, the SHIELD Act would expand the definition of “breach” to include instances in which there was unauthorized “access” to computerized data. The law now only covers unauthorized acquisition. The law goes on to state that in determining whether information “has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
The SHIELD Act amends current data breach disclosure requirements by adding procedural requirements that must be accomplished before an entity can determine that a breach disclosure notice to affected individuals is not required:
(1) verify that the exposure of private information was inadvertent;
(2) verify that the private information was exposed by a person who is authorized to have access to the private information;
(3) the entity “reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials;”
(4) the reasonable determination in item (3) must be documented in writing and retained for five years;
(5) if the incident affects over 500 New York residents, the entity must provide a copy of the written determination to the New York AG within ten days after the determination is made.
Notably, the pre-existing deadline to notify affected residents of the breach “without unreasonable delay” was not shortened.
What Happens Next?
As of June 2019, which coincides with the conclusion of many state legislative sessions, over twenty states have enacted laws that require data security practices for certain private sector entities. However, statutory obligations are not the only mechanisms for imposing data security practices.
State courts are presiding over common law negligence claims arising from data breaches. In a future post, we will provide examples where state courts (in similar fashion as state legislatures) are adding to the patchwork legal landscape, handing down divergent rulings related to common-law duties, and the associated standards of care, regarding data security obligations.