On March 21, 2020, the last of the features of the NY Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) became effective: its data security requirements. The SHIELD Act is a sweeping statute governing individual rights relating to data breaches. It was adopted in July 2019 and has been rolled out in the months since then: its breach notification provisions took effect on October 23, 2019, and its data security requirements have now taken effect. Companies and individuals doing business with New York residents are advised to familiarize themselves with the obligations contained in this new law. We summarize below the highlights.
The Privacy of “Private Information” is Protected.
The SHIELD Act requires protection of “private information,” which is a combination of “personal information” and information sufficient to access personal data accounts. “Personal information” for purposes of the SHIELD Act is a name or other identifying feature from which you can determine someone’s identity. The other information required to meet the definition of private information in combination with personal information includes a Social Security number, driver license number, bank or credit card number (with the passwords or access codes needed to access the bank or credit facility), or biometric information that can be used to authenticate or ascertain the individual’s identity.
Separate and apart from the above definition of “private information,” the SHIELD Act also includes in the definition of “private information” a user name or email address along with the password or security information needed to access the account.
Hacking and Other Types of Theft Trigger Notification to Affected Individuals.
The SHIELD Act requires companies or individuals to notify affected persons of cases of unauthorized access or acquisition of private information, and also cases of access or acquisition by someone without authorization. Both hacking and theft require notifying the owners of the lost data. Factors such as whether the computer information had been used, viewed, altered, downloaded or copied must be weighed to determine whether there was access or acquisition under the law.
Fines for failing to notify affected individuals range from $10 to $20 per notification failure, to a cap of $250,000.
There is some flexibility in the notification requirements for certain types of breaches. In the case of inadvertent disclosure of information by someone who is otherwise authorized to access the data, notification will not be required if the company reasonably determines that the exposure will not likely result in:
- misuse of such information,
- financial harm to the affected persons or
- emotional harm in the case of unknown disclosure of online credentials.
In this case, the company must conduct an investigation to determine if these criteria are satisfied and, if so, prepare a written internal memorandum concluding that notification is not required. For disclosures affecting more than 500 NY residents, a copy of the memorandum must be submitted to the AG.
The Attorney General is the Enforcer.
The power to enforce the NY SHIELD Act sits with the Attorney General. The AG can seek fines for past violations and injunctions against continued violations of the SHIELD Act. An earlier version of the SHIELD Act included a provision for a private right of action, but it did not survive the final draft.
How aggressive Attorney General James will be in enforcing this new statute is unknown, especially with the State’s attention and resources diverted to issues related to the COVID-19 pandemic. We would expect the AG to ramp up enforcement efforts once the pandemic response stabilizes, especially since there has been increased hacking activity specifically using the pandemic as a cover for system breach tactics.
What is more certain is that notifying the AG of a system breach will trigger some type of response from the State. Part of that response will be to determine compliance with the “reasonable safeguards” required by the SHIELD Act, discussed below.
In addition to fines that can be assessed for failing to notify affected individuals, the AG can levy fines of $5000 per violation concerning whether the company had enacted reasonable safeguards against hacking or theft.
Mitigating Liability Requires a Plan.
Whether the AG comes down hard on a company will depend on the company’s institution of reasonable safeguards under the SHIELD Act. These reasonable safeguards are, generally speaking, prudent practices that one would expect to employ to protect against and mitigate breaches. The SHIELD Act breaks down these safeguards into three buckets – administrative safeguards, technical safeguards and physical safeguards (similar to the safeguards required by the HIPAA security standards):
- Administrative safeguards. These safeguards include designating a point person or person for coordinating protection and response, identifying risks to the system, evaluating the current processes in place to address these risks, training employees on risks and protections, selecting capable service providers, and adjusting measures in response to changes in circumstances.
- Technical safeguards. These safeguards include assessing risks in the system design and network transmission, testing systems, and implementing a system that detects, monitors and protects against attacks and failures.
- Physical safeguards. These safeguards include protecting against access to data access and safely disposing of data after it no longer has a business use.
In the event of a breach, companies will be in a better position vis-à-vis an Attorney General investigation if it has prepared a comprehensive program that incorporates these safeguards. The AG can assess fines of $5000 per violation, and there is no cap on these fines.
First GDPR, then California, and now NY.
The NY SHIELD Act is the latest in a series of broad measures on data protection by various jurisdictions affecting US businesses. US companies have already considered their risk with respect to data coming within the purview of the EU’s General Data Protection Regulation (“GDPR”). The GDPR is a broad statute that affects US businesses collecting personal information on EU residents. Similarly, the California Consumer Privacy Act (“CCPA”) is broadly written to affect any businesses doing business with California residents.
The reach of the NY SHIELD Act is also broadly worded, covering any person or business who has suffered a breach such that private information of any resident of New York State was reasonably believed to have been accessed or acquired. All companies doing business with NY residents will need to consider whether they own or lease NY resident data and thus fall within the ambit of the statute.