By March 21, 2020, all employers—not just New York employers—with private information about New York residents must be in full compliance with the new "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act. The Act implements major changes in data security protections for New York residents by amending the New York General Business Law and the New York State Technology Law. While the existing statutes already provide some breach notification protections, the Act's key updates broaden the definition of a data breach; broaden the scope of information covered under notification laws; require reasonable data security; provide standards tailored to small businesses; and broaden breach notification requirements.
Broader Definition of "Breach"
Under current New York law, a breach is defined as "unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business."
The Act expands the law to interpret a breach to include unauthorized access or access to private information without authorization, not just acquisition. To help a business determine whether private information has been accessed, the Act lists factors including, but not limited to, "indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person."
Broader Definition of "Private Information"
Currently, the General Business Law protects "personal information," defined as "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person." It also protects "private information," defined as personal information combined with any of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) Social Security number; (2) driver's license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."
The Act significantly expands this definition of "private information" to also protect:
- In combination with a personal identifier, an account, credit, or debit card number, if it is possible to use the number to access an individual's financial account without any additional identifying information, security code, access code, or password;
- In combination with a personal identifier, biometric information, defined as "data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate an individual's identity"; and
- A user name or email address in combination with a password or security question and answer that would give access to an online account.
Imposing Data Security Requirements
The Act also creates entirely new requirements for any person or business that owns or licenses computerized data that includes the private information of New York residents to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but not limited to, disposal of data."
A person or business is considered in compliance with the Act when they implement a data security program containing a number of detailed administrative, technical and physical safeguards enumerated in the law. These include, but are not limited to:
- Designating one or more employees to coordinate the security program;
- Training and managing employees in the security program practices and procedures;
- Requiring contractual safeguards from service providers;
- Running certain risk assessments;
- Adjusting the security program in light of business changes or new circumstances; and
- Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Businesses are also considered compliant when they meet the data security requirements of other laws such as the Health Insurance Portability and Accountability Act (HIPAA) (protecting the privacy and security of certain health information), the Gramm-Leach-Bliley Act (requiring financial institutions to explain how they share and protect customers' private information), and Health Information Technology for Economic and Clinical Health Act (HITECH Act) (widening the scope of privacy and security protections under HIPAA).
Providing Individualized Standards
For small businesses meeting any of the following criteria—fewer than 50 employees, less than $3 million in gross revenues in each of the last three fiscal years, or less than $5 million in year-end total assets—the Act contains certain relaxed data security program standards. A small business's security program complies with the Act if it "contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers." By contrast, all other covered businesses must implement the specified safeguards enumerated in the statute, as previously discussed, such as designating employees to coordinate the program, requiring contractual safeguards from service providers, and so forth.
Broadening Breach Notification Requirements
The Act no longer covers only people and businesses who conduct business in New York; its scope now encompasses any people or businesses that own or license computerized data that includes private information of New York residents. In the event of a breach triggering notification requirements, as identified under the Act, notification must be made to affected New York residents, in addition to the New York Attorney General, the New York Department of State, and the New York State Police. When over 5,000 residents are affected by the breach, notification must also be made to consumer reporting agencies.
Notably, notice of a breach is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse or harm.
While the Act does not establish a private right of action, the Attorney General may bring an action to enjoin violations of the Act and to obtain civil penalties. For violations of the reasonable safeguards requirements, courts may impose penalties of no greater than $5,000 per violation.
For knowing or reckless violations of the notification provisions, courts may impose a penalty of the greater of $5,000 or up to $20 per instance of failed notification, the latter of which is capped at $250,000. For notification provision violations that are not knowing or reckless, courts may award damages for actual costs or losses incurred by a person entitled to notice, if notice was not provided.
What This Means for Employers
Employers should act immediately and thoroughly to ensure their businesses meet the Act's new standards. Any employer who handles data including the private information of New York residents, even if such employer does not conduct business in New York, must be in compliance with the Act.
Covered employers must adopt a breach notification policy consistent with the Act's requirements. Additionally, among a number of other steps, employers should consult counsel to determine whether their data security programs contain the proper safeguards suited for their business as enumerated in the Act. If not already compliant pursuant to another statutory requirement, employers should take steps such as designating an employee to coordinate their security programs; training and managing employees in their security program practices and procedures; and reviewing service provider contracts to ensure the appropriate safeguards are contained in such agreements, among numerous other steps. While the March 21, 2020, deadline may seem far away, compliance may be a time-consuming and lengthy process.
For More Information
If you have any questions about this Alert, please contact Eve I. Klein, any of the attorneys in our Employment, Labor, Benefits and Immigration Practice Group, any of the attorneys in our Privacy and Data Protection Practice Group, or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.