New York is the latest state to expand its breach notification law with the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, signed into law by Governor Andrew Cuomo on July 25, 2019. A number of the key changes that the law ushers—including broadening the definitions of both personal information (PI) and data breach, expanding the scope of covered entities subject to breach notification requirements, and imposing data security standards—are reminiscent of similar provisions in other states’ breach laws. Amidst a historically disparate patchwork of state laws, these commonalities may signal coalescence around prevailing security and breach notification standards and a gradual shift toward increased uniformity.
Most significantly, the SHIELD Act amends existing law to:
- Like Massachusetts, impose data security requirements.
- Covered entities must develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect and dispose of PI.
- A small business—one with fewer than 50 employees, less than $3 million in annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets—will be deemed compliant if its data security program is appropriate in light of the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the PI it collects.
- Like California, expand the definition of PI that triggers breach notification obligations.
- This includes biometric information, and user names or email addresses in combination with passwords or security questions and answers.
- Like Connecticut, expand the definition of a data breach to include unauthorized access to or acquisition of private information.
- In assessing whether personal information has been accessed, an entity may consider “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
- Like Illinois, apply the breach notification requirement to any person or entity that owns or licenses computerized PI of a state resident, not just to those conducting business in the state.
- Update notification procedures that entities must follow when there has been a breach involving PI.
- In addition to previously required contents, notices to affected individuals must now include the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
- In the event that any New York residents are to be notified of a breach, an entity must now notify the Office of Information Technology Services (in addition to the state attorney general and Department of State) and must now furnish a copy of the template of the notice that was sent to affected individuals.
- Provide for exceptions to breach notification requirements.
- Risk of Harm Exception: Notice is not required in the case of inadvertent disclosures of PI that are unlikely to result in misuse of the data or financial or emotional harm to the affected individual. However:
- Such a determination must be documented in writing and maintained for a period of at least five years; and
- If the security incident affects more than 500 New York residents, the written determination must be provided to the New York Attorney General within ten days of the determination.
- Redundant Notice Exception: Separate notice is not required when notice has already been provided pursuant to certain other federal or state laws, including HIPAA, Gramm-Leach-Bliley Act (GLBA), and the Health Information Technology for Economic and Clinical Health Act (HITECH).
- Increase the civil penalties that the attorney general may impose in an enforcement action, to the greater of $5,000 or $20 per instance of failed notification, not to exceed $250,000.
The law’s data security provisions take effect on March 21, 2020 (240 days after enactment), while the remainder of its provisions take effect on October 23, 2019 (90 days after enactment).
Governor Cuomo signed another bill, A.5635B/S.5575B, which requires credit reporting agencies (CRAs) to offer identity theft prevention and, if applicable, mitigation services following a breach of its security system that exposes consumers’ Social Security numbers. Under the law, which takes effect on September 23, 2019 (60 days from enactment), CRAs are required to provide these services to affected consumers free of charge for a period not to exceed five years.