On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law. The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending New York’s data breach notification statute to broaden the circumstances under which notification may be required. The second bill, meanwhile, will require consumer reporting agencies to offer identity theft prevention and mitigation services. Both bills are described in further detail below.
New Data Security Provisions under SHIELD Act
Once its data security provisions enter into force on March 21, 2020, the SHIELD Act will require any person or business that owns or licenses “private information” of New York residents to develop, implement, and maintain “reasonable safeguards” to protect the information. The SHIELD Act will use the same definition of “private information” as New York’s data breach notification law, which includes online account credentials, as well as an individual’s name along with a Social Security number, driver’s license number, payment card information, or biometric information.
While many states’ laws include similar “reasonable” data security requirements, the SHIELD Act takes additional steps by setting forth a detailed series of options for businesses to satisfy this requirement. Specifically, a business will be “deemed in compliance” with the statute’s requirement to implement and maintain “reasonable safeguards” if it (1) complies with one of a list of regulatory frameworks or (2) implements a data security program that includes specific elements. Entities that meet the definition of a “small business,” which is defined to include businesses with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets, have an additional option to satisfy the law’s requirements by implementing reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.
The list of regulatory frameworks where compliance will be “deemed in compliance” with the SHIELD Act’s requirements includes:
- the Health Insurance Portability and Accountability Act (“HIPAA”);
- the Gramm-Leach-Bliley Act. (“GLBA”);
- the New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500); and
- any other data security rules and regulations administered by a federal or New York state government department, division, commission, or agency.
Alternatively, an entity’s data security program can be “deemed in compliance” if it includes:
- reasonable administrative safeguards, such as:
- designating an employee to coordinate the security program;
- identifying reasonably foreseeable internal and external risks;
- assessing the sufficiency of safeguards in place to control identified risks;
- training and managing employees in the security program practices and procedures;
- selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract; and
- adjusting the security program in light of business changes or new circumstances;
- reasonable technical safeguards, such as:
- assessing risks in network and software design;
- assessing risks in information processing, transmission, and storage;
- detecting, preventing, and responding to attacks or system failures; and
- regularly testing and monitoring the effectiveness of key controls, systems, and procedures; and
- reasonable physical safeguards, such as:
- assessing risks of information storage and disposal;
- detecting, preventing, and responding to intrusions;
- protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposing private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The SHIELD Act provides that a failure to comply with these data security requirements “shall be deemed” a violation of the state’s prohibition on deceptive acts and practices, and the New York Attorney General may pursue civil penalties of up to $5,000 per violation under N.Y. Gen. Bus. Law Section 350-d. However, the SHIELD Act also explicitly notes that these data security provisions do not create a private right of action.
New Data Breach Notification Provisions under SHIELD Act
In addition to implementing new data security requirements, the SHIELD Act also includes notable changes to New York’s data breach notification law, which requires notification of affected residents, state regulators, and (in some circumstances) consumer reporting agencies following a “breach” of personally identifiable information, or “PII.” Once the SHIELD Act’s changes to data notification provisions enter into force on October 23, 2019, they will broaden the scope of PII covered under New York’s data breach notification law to include biometric information (when paired with a personal identifier, such as an individual’s name), as well as an email address combined with the password or security question/answer that permits access to an online account. In addition, the breach of a name and account number, credit card number, or debit card number, without the security code, could trigger notification obligations under the SHIELD Act’s provisions if the account number alone could be used to access an individual’s financial account.
The SHIELD Act will also broaden the definition of a “breach” to include not only unauthorized “acquisition” of PII, but also unauthorized “access” to PII. In determining whether an unauthorized person accessed covered information, the SHIELD Act states that businesses should consider “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
The SHIELD Act also introduces new safe harbors and notification thresholds that businesses collecting PII of New York residents could utilize in connection with future security incidents. Specifically, the SHIELD Act’s amendments provide that businesses will not need to provide notice to affected individuals if the exposure of PII was “an inadvertent disclosure by persons authorized to access private information” and the business reasonably determines that the exposure is unlikely to result in misuse of the information, financial harm, or, in the case of unknown disclosure of online credentials, emotional harm. However, in order to leverage this provision, businesses will need to document any such determination in writing and maintain it for at least five years. If a business makes such a determination, and the incident involves over 500 New York residents, the business will also need to provide the written determination to the New York Attorney General within 10 days of making the determination.
In addition, the SHIELD Act will also add new safe harbors to the New York data breach notification law for entities that comply with, and notify individuals pursuant to, the regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), the regulations promulgated under Title V of GLBA, the New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500), or any other federal or New York data security rules and regulations. However, even if a business makes individual notifications pursuant to one of these laws or regulations, the business will still be required to notify the New York Attorney General, the New York Secretary of State, the Division of State Police, and, if more than 5,000 New York residents are notified, consumer reporting agencies. In addition, if a business makes any notification to the Secretary of Health and Human Services pursuant to HIPAA or the HITECH Act, the business must also notify the New York Attorney General within five business days of notifying the Secretary.
Finally, the SHIELD Act provides the New York Attorney General more time to bring an action for violations of the statute’s breach notification requirements, while also increasing the total amount of civil penalties available. Unlike the data security provisions of the SHIELD Act, which become effective on March 21, 2020, the data breach notification provisions will enter into force on October 23, 2019.
New Requirements for Credit Reporting Agencies to Provide Identity Theft Prevention and Mitigation Services
In addition to the SHIELD Act, Governor Cuomo also signed the Identity Theft Prevention and Mitigation Services Act, which will require a consumer credit reporting agency to offer identity theft prevention services and, if applicable, mitigation services for five years in the event of a breach involving the credit reporting agency’s system. The Identity Theft Prevention and Mitigation Services Act becomes effective on September 23, 2019.