If your business owns, licenses or manages private information of New York consumers, you may want to sit down, grab a coffee, and read on.
Governor Andrew Cuomo signed into law the “Stop Hacks and Improve Electronic Data Security (SHIELD) Act” in July of 2019, expanding New York’s existing cybersecurity laws. The SHIELD Act is specifically designed to protect New York State residents from exposure of private information due to cyber attacks, and it does so by increasing data protection and data breach notification requirements binding businesses that collect that information. The below summary hits on the high points of the law as updated, but it is always a sound choice to seek legal counsel in order to clarify obligations specific to your business.
The SHIELD Act is best understood in two prongs; the reasonable security requirement, and the data breach notification requirement.
Reasonable Security Requirement
New York State will, as of March 21, 2020, require all persons or businesses (whether or not located in New York State) that own or license computerized data which includes private information of a New York State resident to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.
Private information is defined as either (a) personal information (individually identifiable information, such as a name) in combination with (i) a social security number, (ii) a driver’s license number, (iii) an account number, credit or debit card number (whether or not paired with a security code), or (iv) biometric information (fingerprint, voice print, retina, iris image, etc.); or (b) a user name or email address in combination with a password or security question and answer that would permit access to an online account.
A person or business is deemed to be in compliance with the reasonable security requirement described above if it either: (a) is a “compliant regulated entity” or (b) implements a data security program that incorporates: (i) reasonable administrative safeguards, (ii) reasonable technical safeguards, and (iii) reasonable physical safeguards.
So, what is a “compliant regulated entity” under SHIELD? A “compliant regulated entity” is essentially a person or business already subject to and in compliance with data security requirements under the following laws: (a) regulations promulgated under Title V of the federal Gramm-Leach Bliley Act (15 U.S.C. 6801 to 6809), (b) regulations implementing the HIPAA (45 C.F.R. parts 160 and 164) and the Health Information Technology for Economic and Clinical Health Act, (c) Part 500 of Title 23 of the New York State codes, rules and regulations (cybersecurity requirements for financial services companies), or (d) any other data security rules and regulations of (and statutes administered by) any official department, division, commission or agency of the federal or New York state government. If you are a compliant regulated entity, you are deemed to be in compliance with the reasonable security requirement prong of SHIELD.
If, however, a person or business is not a “compliant regulated entity,” the SHIELD Act will require that it implement a data security program that incorporates: (b) reasonable administrative safeguards, (b) reasonable technical safeguards, and (c) reasonable physical safeguards.
Reasonable administrative safeguards include (but are not limited to) safeguards in which the person or business: (a) designates one or more employees to coordinate the security program, (b) identifies reasonably foreseeable internal and external risks, (c) assesses the sufficiency of safeguards in place to control the identified risks, (d) trains and manages employees in the security program practices and procedures, (e) elects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract, and (f) adjusts the security program in light of business changes or new circumstances.
Reasonable technical safeguards include (but are not limited to) safeguards in which the person or business: (a) assesses risks in network and software design, (b) assesses risks in information processing, transmission and storage, (c) detects, prevents and responds to attacks or system failures, and (d) regularly tests and monitors the effectiveness of key controls, systems and procedures.
Reasonable physical safeguards include (but are not limited to) safeguards in which the person or business: (a) assesses risks of information storage and disposal, (b) detects, prevents and responds to intrusions, (c) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information, and (d) disposes of private information within a reasonable amount of time after it is no longer needed for businesses purposes by erasing electronic media so that the information cannot be read or reconstructed.
There is an important distinction to mention specific to small businesses. Small businesses (a person or business with (i) fewer than 50 employees, (ii) less than $3,000,000 in gross annual revenue in each of the last 3 fiscal years, or (iii) less than $5,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles) are deemed to have already met the reasonable security requirement of SHIELD if the small business’s security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.
After all of this, what are the ramifications for non-compliance? Any person or business that fails to comply with the reasonable security requirement of SHIELD shall be deemed to have violated New York’s General Business Laws, which govern consumer protection from deceptive acts and practices, and the New York Attorney General may bring an action to enjoin these violations and to obtain civil penalties of up to $5,000 for each violation.
Data Breach Notification Requirement
The reasonable security requirements of SHIELD are set to take effect March 21, 2020, but SHIELD amendments to New York’s data breach notification requirements have already been in effect since October 23, 2019.
The main points:
Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach to any resident of New York State whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
In addition, any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
What does the law mean by the term “breach of the security of the system”? SHIELD amendments define the term to mean unauthorized access to or acquisition of, or access to, or acquisition without valid authorization, of computerized data that compromises the security, confidentiality or integrity of private information maintained by a business. It is worthwhile to note that SHIELD newly features the concept of “access”. New York breach notification laws were previously triggered only upon unauthorized acquisition of data.
So, what is the difference between access and acquisition?
To determine unauthorized access, a business may consider (among other factors) indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.
To determine unauthorized acquisition, a business may consider (among other factors): whether the information was physically possessed or controlled by an unauthorized person, or whether it was downloaded or copied or used to open fraudulent accounts or commit other instances of identity theft.
In the event of breach of the security of the system, the person or business who experiences the breach must immediately issue notice to the affected parties. SHIELD specifies the notice content and methods of delivery, which include written, telephonic, electronic or what is described as “substitute” notice, coming into play if costs to provide notice would exceed $250,000 or the number of recipients exceeds 500,000. SHIELD breach provisions also require notice to the NYS Attorney General, the NYS Department of State and the NYS State Police, and in cases where more than 5,000 New York residents are to be notified at one time, consumer reporting agencies.
SHIELD makes allowance for inadvertent exposure, or exposure already given under other laws (think “compliant regulated entities”). A business should seek legal counsel to determine what specific notification obligations may apply to it should it ever find itself in this situation.
The SHIELD Act may, at present, only be enforced by the New York Attorney General. The Attorney General is empowered to seek injunctions as well as money damages for actual costs or losses incurred by a person entitled to notice (including consequential financial losses), if notification was not provided to such person. Take special notice of the fact that a court may impose civil penalties of the greater of $5,000 or up to $20 per instance of failed notification (provided that the latter amount shall not exceed $250,000) if the court determines that a person or business violated data breach provisions knowingly or recklessly. Statutes of limitations do apply to potential claims, but no such limitations exist if a company takes deliberate steps to hide a breach.
Note that much of the updated law described above also applies to New York State entities, with a few notification distinctions involving the New York State Office of Information Technology Services.
In sum, the SHIELD Act evidences the serious and expanding effort by New York State to address growing cybersecurity risks, which are themselves big business these days. The era of the simple flashing virus on your computer screen is clearly over. There is much one can do to protect one’s business, but vigilance is key. Remember that the law is the template, but the moral of the story is protection. We encourage consultation with legal counsel as well as IT professionals to ensure you and your business are in compliance with these updated requirements.
This publication is intended as an information source for clients, prospective clients, and colleagues and constitutes attorney advertising. The content should not be considered legal advice and readers should not act upon information in this publication without individualized professional counsel.
McConville Considine Cooman & Morin, P.C. is a full-service law firm based in Rochester, New York, providing high-quality legal services to businesses and individuals since 1979. With over a dozen attorneys and a full paralegal support staff, the firm is well-positioned to right-size services tailored to each client. We are large enough to provide expertise in a broad range of practice areas, yet small enough to devote prompt, personal attention to our clients.
We represent a diverse range of clients located throughout New York State and New England. They include individuals, numerous manufacturing and service industry businesses, local governments, and health care professionals, provider groups, facilities and associations. We also serve as local counsel to out-of-state clients and their attorneys who have litigation pending in Western New York courts. For more information, please contact us at 585.546.2500.