On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S.5575B/A.5635), which significantly increases obligations for businesses handling private data to notify affected consumers upon experiencing a security breach. Additionally, Governor Cuomo signed the Identity Theft Prevention and Mitigating Services Act (A.2374/S.3582), requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.
In an official press release announcing his signature on both pieces of legislation, the Governor emphasized the significance of implementing such laws to protect New Yorkers against security breaches. Citing a recent significant data breach, Cuomo noted that “[a]s technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure . . . [t]he stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
The SHIELD Act enhances the notification requirements in New York by, in part, broadening the information and entities covered by the law, and imposing security requirements on businesses and individuals, beyond those solely operating in New York. Specifically, the SHIELD Act expands the scope of the state’s protection of personal information in three significant ways:
- The law applies broadly to any person or business that owns or licenses computerized data that includes private information of a New York state resident, regardless of whether the person or business conducts business in the state. New York’s current breach notification law applies only to persons and entities conducting business in the state.
- The law broadens the definition of “data breach” to include unauthorized “access” to private information. Only an “acquired” standard applies under the current breach notification law (NYGBL section 899-AA). For businesses or individuals subject to the SHIELD Act, a breach requiring notification is triggered when a New York resident’s private information was, or is reasonably believed to have been, accessed or acquired without authorization through a breach of the security system in place. Access may include viewing, copying, or downloading private information.
- While the current definition of “personal information” consists of “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person,” the SHIELD Act, consistent with recent amendments to other states’ breach notification laws, expands the definition of “private information” to include financial account numbers that can be used to access an account without additional identifying information, biometric information (e.g., fingerprint, voice print, retina, or iris image), and user names or email addresses, in combination with passwords or security question answers that would allow access to online accounts.
Other than expanding New York’s reach, the SHIELD Act updates the notification procedures for companies and state entities in the event of a breach of private information, including coordination with the breach notification provisions of other federal and New York laws and regulations. Even though the law does not require further notification to individuals if entities are already regulated by and providing notice in accordance with other laws and regulations (e.g., HIPAA, NY DFS Reg 500), notice still must be given to the state attorney general, the New York Department of State, and the state police.
The SHIELD Act also imposes “reasonable” security requirements on persons and businesses that collect the private information of a New York resident, including the development, implementation, and maintenance of “reasonable” administrative, technical, and physical safeguards. Businesses that are already in compliance with laws like HIPAA and the GLBA are deemed compliant with the applicable sections of the legislation (including breach notification provisions). Specific requirements depend on the size and nature of a business and the sensitivity of the information collected. The law provides examples of measures it deems as reasonable, such as personnel training, careful selection of vendors capable of maintaining appropriate safeguards and implementing contractual obligations for such vendors, and proper disposal of private information. Under the SHIELD Act, New York joins many states requiring persons and entities to implement reasonable data security protections based on business size, as well as those states with data breach notification requirements extending to companies that do not do business in the state.
Regarding enforcement, the SHIELD Act extends the time period in which the New York attorney general may bring an action against a business for SHIELD Act violations. Under the current breach notification law, the action must be brought within two years from “the date of the act complained of or the date of discovery of such act,” but the updated statute of limitations is three years from either (i) the date on which the attorney general became aware of the violation, or (ii) the date of notice sent to the attorney general. Note that the law adds an exclusion from time limits where the entity took steps to hide a breach.
Unlike the California Consumer Privacy Act, the SHIELD Act does not authorize a private right of action, and in turn class action litigation is not available. Instead, the attorney general may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice. For knowing and reckless violations, the court may impose a penalty equal to the greater of $5,000 dollars or up to $20 per instance with a maximum of $250,000. For reasonable safeguard requirement violations, the court may impose a penalty of not more than $5,000 per violation.
The notification section of the SHEILD Act, which amends NYGBL section 899-AA, will be effective October 23, 2019. The data security portion will be effective March 21, 2020 as NYGBL section 899-BB.
Identity Theft Prevention and Mitigating Services Act
Governor Cuomo also signed into law the Identity Theft Prevention and Mitigating Services Act, which establishes the minimum amount of long-term protections credit reporting agencies must give to consumers who are affected by a data breach. It specifically requires credit reporting agencies that experience a breach of information containing consumer social security numbers to provide five years of identity theft prevention and mitigation services, and gives consumers the right to freeze their credit for free. This legislation also includes a lookback period, applying to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of the law.
The Identity Theft Prevention and Mitigating Services Act will be effective September 23, 2019 by amending NYGBL section 380-T.
Impact on organizations
The enactment of the above laws demonstrates how states throughout the country are taking note of the increasing frequency and severity of significant data breaches and are making a point to seriously address the security of their residents’ personal information. New York’s SHIELD Act has far-reaching effects, and thus organizations of various sizes and locations that may have access to the private information of New York residents should review and assess their privacy and security policies and procedures (particularly with regard to data breach prevention and incident response) to ensure they are compliant with New York’s developing privacy laws.
However, tailoring a compliance program to New York’s requirements may not be sufficient. Similar laws in other states may, in certain respects, have even broader definitions of “private information” or the equivalent term (e.g., Illinois). With this in mind, it is important for organizations to grasp that a “one size fits all” approach may not satisfy the varying requirements of different states’ current and proposed privacy legislation. If organizations intend on operating and/or accessing the data of residents in all 50 states (as well as U.S. territories), they should take a nimble approach to compliance with each state’s requirements and maintain the most robust security procedures to match the strictest requirements . . . as we patiently wait to see if a federal privacy and security law is ever passed.