New York’s SHIELD Act Expands Notification Laws and Imposes Strict Cybersecurity Requirements on Businesses
New York State recently enacted the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), which expands New York State's data breach notification law and imposes prescriptive “data security program” requirements on businesses that possess the private information of New York State residents, regardless of whether the businesses have any physical presence within New York State.
New “Data Security Program” Requirement on Businesses That Hold Personal Information of New York State Residents
Several states currently require businesses that own, license or maintain personal information about the residents of their states to implement and maintain “reasonable security procedures and practices,” and to protect personal information from unauthorized access, destruction, use, modification or disclosure. However, many of those laws do not specify what exactly constitutes “reasonable” security procedures.
Other states are more specific in their requirements. For example, Massachusetts has long required businesses that own or license the personal information of that state’s residents to develop, implement and maintain comprehensive written information security programs (WISPs) that contain specific administrative, technical and physical safeguards for the protection of personal information. Other states, such as Connecticut, require parties that contract with state agencies to implement and maintain a comprehensive data security program for the protection of confidential information.
The SHIELD Act places New York State in the group of states that are more prescriptive in their data security requirements. The Act provides that, beginning as of March 21, 2020, businesses that own or license computerized data that includes “private information” of New York State residents must implement a “data security program” that includes the following:
- administrative safeguards in which the business:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances.
- technical safeguards in which the business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures.
- physical safeguards in which the business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Businesses that are subject to, and are in compliance with, Title V of the Gramm-Leach-Bliley Act, HIPAA or the New York State Department of Financial Services Cybersecurity Requirements (23 NYCRR 500) are exempted from this requirement under the SHIELD Act. This is because those other laws already set forth their own requirements for businesses covered thereunder to design and implement data security programs.
The SHIELD Act provides a limited reprieve for “small businesses,” which are defined as businesses with (i) fewer than fifty employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets, calculated in accordance with GAAP. Under the Act, “small businesses” that own or license computerized data that includes private information of New York State residents are only required to implement a data security program that contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information it collects. Thus, while small businesses still must implement a data security program, the specific requirements of such program are somewhat relaxed.
The New York State Attorney General can pursue civil penalties for violations. Importantly, however, there is no private right of action.
Because the SHIELD Act specifies particular elements that a compliant data security program should contain, businesses that have data security programs lacking one or more of the specified elements may be in a disadvantaged position in any future litigation that data breach victims may commence. Specifically, individuals who are impacted by a data breach may argue that the SHIELD Act’s standards (or the standards in other states that have similar rules) serve as the de facto minimum baseline for reasonable data security practices. Such individuals may further argue that a business’s failure to implement and maintain a data security program that addresses all of the SHIELD Act’s requirements constitutes negligence.
The new data security program requirement will take effect on March 21, 2020.
Expanded Scope of New York State’s Breach Notification Requirements
Generally, data breach notification laws are state and territorial laws that require businesses affected by a data breach involving individuals’ legally-protected personal information to notify the affected individuals(and, in some states, law enforcement authorities) about the breach. Every state and the District of Columbia has its own data breach notification law, and New York State has had such a law for the last several years.
Before the SHIELD Act, the types of private information that triggered New York State’s data breach notification law were fairly limited. For example, private information had been limited to information that could be used to identify a natural person, together with a Social Security Number; a driver’s license number or non-driver identification card number; or a credit card or debit card number together with any required security code, access code or password that would permit access to an individual’s financial account.
The SHIELD Act broadens the scope of “private information” to which New York State’s data breach notification obligations apply. Specifically, it expands the universe of private information also to include:
- an account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password;
- biometric information; or
- a username or e-mail address in combination with either a password or security question and answer that would permit access to an online account.
This expansion of scope of legally-protected private information is consistent with the actions of legislatures in other states. Indeed, a number of other states have also recently expanded the scope of personal information that would fall within their respective data breach notification requirements.
A business is not required to notify affected individuals of the exposure of their private information if it was the result of “an inadvertent disclosure by persons authorized to access private information,” and the business reasonably determines that such exposure will not likely result in misuse, or financial or emotional harm to the affected person. Such a determination must be documented in writing and maintained for at least five years. If the incident affects over 500 New York State residents, the business must provide the written determination to the Attorney General’s office within 10 days after the business makes that determination.
The SHIELD Act expands the definition of a “breach” to include unauthorized “access” of private information that compromises the security, confidentiality or integrity of private information. Before the SHIELD Act, a breach was defined only as unauthorized “acquisition” of private information.
The Act also expands the territorial application of New York State’s data breach notification statute to any business that owns or licenses computerized data that includes “private information” of a New York State resident, regardless of whether that business has any physical location in New York State. Previously, New York’s breach notification statute only covered individuals and entities that conducted business within the state.
The Act increases the potential civil penalties for breach notification law violations to up to twenty dollars per instance of failed notification (capped at $250,000), and imposes new civil penalties (up to $5,000 per violation, with no cap) for certain failures to comply with the data security program requirements.
These breach notification amendments took effect on October 23, 2019.
Implications for Employers and for Staffing Firms
Every business that has employees who are New York State residents and every staffing firm that deals with candidates who are New York State residents must comply with the SHIELD Act. This is because they possess their employees’ and candidates’ private information, such as their names, Social Security numbers and their government-issued ID numbers. Additionally, businesses that hold the private information of their customers who are New York State residents will be required to comply with this Act.
In light of the enactment of the SHIELD Act and similar laws across the country, employers and staffing firms should do the following:
- Prepare and implement a data security program that is compliant with the SHIELD Act’s requirements. If a data security program has previously been implemented, it should be updated as needed to comply with the SHIELD Act.
- Appoint or hire an individual to oversee the data security program.
- Ensure that their personnel who are tasked with developing and implementing their data security program have the capability (in terms of competence and availability of time) to do so.
- To the extent that businesses outsource the processing of personal information or other sensitive information to third parties, perform sufficient due diligence to give themselves comfort that their third party vendors’ data security programs are adequate in light of the sensitivity of the information they provide to their vendors. All existing vendor contracts should be reviewed and appropriate provisions should be added to the contracts to obligate the vendors to meet the appropriate data privacy and security standards.
- Conduct regular data privacy and security training for all new and current employees.
- Assess and mitigate data security threats caused by their own employees and other insiders.
- Ensure that records containing the private information of New York State employees and candidates are securely destroyed promptly after the applicable retention period ends (assuming a legal hold has not been implemented).
For more information on the topic discussed, contact:
Employment Notes, a newsletter produced by Tannenbaum Helpern Syracuse & Hirschtritt LLP’s Employment Law practice, provides insights on recent employment caselaw, legislation and other legal developments impacting employer policies, human resource strategies and related best practices. To subscribe to the newsletter, email firstname.lastname@example.org.