On July 25, 2019, New York Governor Andrew M. Cuomo signed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, which tightens New York’s data breach law by imposing stronger obligations on businesses handling private information and affords consumers who may have been impacted by a data security incident additional protections. This Act signifies how seriously states like New York are taking privacy, data and cybersecurity and has far-reaching impact on persons and businesses across the nation.
Under New York’s existing data breach notification law, General Business Law § 899-aa, enacted in 2005, any person or entity conducting business in New York, and which owns or licenses computerized data which includes private information, shall disclose a breach of the security system following discovery or notification of the breach to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
Importantly, the existing law only applies to persons or entities conducting business in the state of New York. The existing law also was outdated in that it narrowly defined “private information” as an individual’s social security number, drivers’ license number or non-driver identification card number, or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, provided that the information also included any information that can be used to identify the person (i.e., name, number, personal mark, or other identifier).
The SHIELD Act brings New York’s data breach notification law up to date with the rising threats of cybersecurity incidents by broadening the definition of a breach of security to include access to or acquisition of private information concerning a New York resident. The Act specifically states that “access” can include whether the information was viewed, communicated with, used or altered by a person without authorization. Importantly, the SHIELD Act also expands the scope of “private information” to include biometric data, and email addresses with their corresponding passwords or security questions and answers. The SHIELD Act also expands its reach and applies to any person or entity that owns, licenses or maintains private information of a New York resident, and not just those who conduct business in New York State.
Moreover, in response to the rising number of private and class actions brought by individuals who have had their personal or private information potentially impacted by data security incidents across the country, the SHIELD Act expands the statute of limitations of Attorney General enforcement actions to three years from the date on which the Attorney General became aware of the violation, or the date on which the notification is made to the Attorney General, Department of State and Division of State Police. New York’s existing data breach notification law requires notification to these regulating entities regardless of the number of individuals impacted, and notification to the three major credit reporting agencies if more than 5,000 New York residents are receiving a notification. While the existing law and the SHIELD Act do not specifically provide for a private right of action or class action litigation, the statute permits the Attorney General to bring an action on behalf of the people of the State of New York for injunctive and monetary relief.
The SHIELD Act also mandates that businesses create reasonable data security requirements that are tailored to the size of the business. The provisions require businesses to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information maintained by the business, and include mandatory requirements of a business’s reasonable safeguards. These mandatory requirements include risk assessments, employee training, vendor selection, and disposal methods. Small businesses (fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets) are still subject to the reasonable safeguards requirement, but may tailor the safeguards depending on the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information maintained by the small business.
Separately, Governor Cuomo also signed the Identity Theft Prevention and Mitigation Services Act, which requires credit reporting agencies that have experienced a breach involving social security numbers to provide five years of identity theft and mitigation to affected consumers, and to allow consumer the right to freeze their credit, at no cost. This Act was in direct response to the Equifax breach, which affected over 147 million consumers who were left without any means to protect their identities following the breach. This Act goes into effect on September 23, 2019. On July 22, 2019, Governor Cuomo announced a $19.2 million settlement with Equifax over the breach, which included Equifax agreeing to provide New York consumers with credit monitoring services and free annual credit reports, and to pay restitution to impacted consumers.
The SHIELD Act requires businesses who own or license personal information of New York residents to undertake significant efforts to ensure compliance with the updated provisions on or before March 21, 2020. Entities that own, license or maintain personal information of New York residents are encouraged to consider beginning the steps necessary to ensure compliance with the SHIELD Act. Regardless of whether a business owns, licenses or maintains personal information of New York residents, all businesses are encouraged to implement the reasonable safeguards required under the SHIELD Act to mitigate the risk of a security breach and to prevent what could be a catastrophic loss to the business.
All 50 states have now enacted their own data breach notification laws, which require notification to individuals impacted by a data security incident in certain circumstances based upon the nature of the data security incident and the personal information believed to have been involved. The Gordon Rees Scully Mansukhani, LLP Privacy, Data and Cybersecurity practice group is uniquely poised to assist your company with any issues related to cybersecurity incidents. For questions regarding any aspect of the new legislation in New York, please contact the authors.