It didn’t take long for other states to follow California’s lead in pursuing rigorous data privacy protections for their residents. Although New York was unsuccessful in passing its own version of the California Consumer Protection Act (CCPA) this year, legislation expanding data breach notification protocols was signed into law by Governor Andrew Cuomo on July 25, 2019¹. The SHIELD Act (the Stop Hacks and Improve Electronic Data Security Act) signals a growing trend in the U.S. toward strengthening data privacy protections in the wake of high-profile data breaches through the adoption of more comprehensive and enforceable regulations.
Effective March 21, 2020, the SHIELD Act amends New York’s existing breach notification law, imposing tougher standards on entities handling the data of its residents. Specifically, the Act broadens the applicability of the law, expands the definitions of “breach of security” and “private information,” and mandates the implementation of controls for breach prevention.
- Applicability: Unlike NY’s current law, which applied only to persons or entities conducting business in NY, the SHIELD Act applies to any individual or company which owns or licenses computerized data that includes the private information of New York residents, regardless of size or whether they have operations, employees, a location or are even registered to do business in the state. Although several limited exceptions to this rule exist, we recommend conducting a thorough risk assessment on a case by case basis.
- Breach: The Act broadens the circumstances that qualify as a breach requiring notification. In addition to unauthorized “acquisition” (the standard set by the existing law), unauthorized “access” to private information will trigger a notification obligation. Viewing, communicating with, using or altering such information without valid authorization or by an unauthorized person are considered indicators of unauthorized access.
- Private Information: The Act continues to make a distinction between personal information and private information, and expands the definition of the latter to include financial account numbers that can be used to access an account with additional identifying information, biometric information such as fingerprints, voice print or visual methods of authenticating identification, and user names or email addresses that, in combination with passwords or security question answers, allow access to online accounts.
- Safeguards: The Act requires impacted entities to develop, implement, and maintain reasonable safeguards against data breaches, and provides the following examples:
- Conducting regular risk assessments
- Training employees
- Reviewing the safeguard capabilities of vendors and adding contractual obligations in vendor contracts
- Adopting/updating data security and incident response policies in compliance with the terms of the Act
- Disposing of private information within a reasonable time frame
Finally, the SHIELD Act increases the statute of limitations on lawsuits filed by the State Attorney General from two to three years following notification of breach. There is no private right of action given to New York residents, which means class action lawsuits are not permitted.
If your organization is subject to the SHIELD Act or any other privacy legislation in NY, we advise taking the following steps immediately:
- Review your current data security policies to ensure compliance with the heightened requirements of the SHIELD Act
- Review your breach incident response policies and update as needed
- Implement a security training program for employees, or update your existing program
The New York legislature is expected to reconsider a different version of the proposed New York Privacy Act in the next session, which may include breach notification provisions that supersede the SHIELD Act. Therefore, it will be important to keep an eye on developments in this space over the coming months. If you would like assistance determining the applicability of the SHIELD Act, or preparing for your compliance obligation, please contact Stephan Grynwajc at email@example.com or 347-543-3035.
¹Also signed into law by Governor Cuomo on July 25th is the Identity Theft Prevention and Mitigating Services Act which requires consumer credit reporting agencies to provide 5 years of prevention and mitigation services to NY residents impacted by an agency security breach.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the privacy landscape in the U.S., Canada and the EU.