Key Point: The SHIELD Act increases the statutory penalties for knowing and reckless violations of the State’s data breach notification law. It also authorizes the NY Attorney General to pursue injunctive relief and monetary penalties against persons and businesses who fail to implement reasonable safeguards to protect New York residents’ private information.

On July 25, 2019, New York Governor Andrew Cuomo signed two bills related to data privacy and identity theft. In our June 24 post, we summarized the contents of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The second signing was the Identity Theft Prevention and Mitigation Services bill. Highlights of the laws’ requirements and effective dates are described below.

The SHIELD Act expands the categories of data that constitute private information, and it expands the definition of a data breach to include unauthorized access to computerized data. The law also spells out the procedures and documentation a covered entity must complete when a good-faith determination is made that a data breach did not occur.

The penalties for knowingly or recklessly violating the data breach notification requirements were increased to $20 per instance, with a maximum cap of $250,000.00.

The provisions above go into effect on Thursday, October 24, 2019.

The provision in the SHIELD Act that has garnered public attention is the requirement for reasonable security measures. The SHIELD Act adds General Business Law § 899-bb, which requires persons and businesses that own or license computerized private information of New York residents to “develop, implement and maintain reasonable safeguards to protect security, confidentiality and integrity of that private information, including the proper disposal of such data.” These safeguards must take into account administrative, technical and physical measures to protect the information.

Of note, the standard for evaluating whether the safeguards adopted by statutorily defined small businesses are compliant is whether the safeguards are “appropriate for the size and complexity of the small business, and the sensitivity of the personal information” collected.

Section 899-bb will go into effect on or about Sunday, March 22, 2020.

Governor Cuomo also signed the Identity Theft Prevention and Mitigation Services bill, which amends General Business Law § 380-t and lays out the minimum requirements for long-term protections to New York residents who have been affected by a data breach at a credit reporting agency.  This bill incorporates by reference the same definition of a data breach revised by the SHIELD Act.

The Identity Theft legislation goes into effect on Monday, September 23, 2019.