This last Thursday, July 25, 2019, lawmakers in New York enacted the cleverly named “Stop Hacks and Improve Electronic Data Security Act” (the SHIELD Act), Senate Bill 5575. While Nick Fury could not be reached for comment, I was able to cobble together some details from the new law…
Following the lead of many other states, the SHIELD Act updates New York’s data breach laws by expanding the definition of private information, expanding notification requirements, and requiring that individuals and businesses handling sensitive information implement “reasonable” data security measures. Perhaps most significantly, these requirements will now apply to any person or business that owns or licenses “private information” of a New York resident.
According to the Governor’s office in New York, “[t]his legislation imposes stronger obligations on businesses handling private data of customers, regarding security and proper notification of breaches by:
- Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
- Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
- Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
- Expanding the definition of a data breach to include unauthorized access to private information; and
- Creating reasonable data security requirements tailored to the size of a business.
This bill will take effect 240 days after becoming law.” https://www.governor.ny.gov/news/governor-cuomo-signs-legislation-protecting-new-yorkers-against-data-security-breaches
The new law does not expand the definition of private information to include passport number, employer ID number or financial transaction devices, all of which are included in California’s new privacy regime.
While New York’s previous data breach statute, passed in 2005, required notification of breaches whenever unauthorized private information had been accessed, the SHIELD Act now requires such notice whenever such data has been accessed. Not surprisingly, this significantly expands the number of incidents that will require breach notification. Notification is required to occur within “the most expedient time possible and without unreasonable delay”, unless it can be verified that the access was “inadvertent” and that it “will not likely result in misuse.”
The Act’s requirement for “reasonable” security measures is an interesting one. It states, “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information…”. The Act even states some examples of what “reasonable” could mean: employee training, regular risk assessment exercises, regular testing of key controls and procedures, and the disposal of private information when no longer needed. There is some risk here that while the list is not meant to be seen as exhaustive, a court could de facto apply those requirements rather rigidly. I’ll be following that issue once we see some guidance from the courts.
Notably, the SHIELD Act does not create a private right of action for an entity’s failure to comply with the law. While this may warrant a sigh of relief from companies within the technology space, we will have to continue to look out for The New York Privacy Act, which is under consideration by the New York State Senate at this time. The New York Privacy Act would indeed create such a private right of action. If passed, it would represent the most aggressive data protection policy in the United States, if not the world.