On July 25 of this year, Gov. Andrew Cuomo signed into law the “Stop Hacks and Improve Electronic Data Security” Act, commonly known as the SHIELD Act. While the SHIELD Act has garnered some attention given the ever-increasing number of privacy breaches impacting New York residents and others throughout the country, N.Y. General Business Law § 899-aa, New York state’s breach law, has been on the books since 2005. The SHIELD Act’s amendments to Section 899-aa have given New York businesses more to which they should pay attention.
Previously, Section 899-aa explicitly applied to any entity conducting business in New York state that owned, licensed, or maintained computerized data. Under the SHIELD Act, the prerequisite of conducting business in New York state has been eliminated, even though the obligation to notify individuals impacted by a breach, or regulatory agencies that may intercede in the event of a breach, relates only to breaches affecting New Yorkers. In addition, the types of computerized data — called “private information” under Section 899-aa — that a business must safeguard have been expanded by the SHIELD Act. Private information now includes biometric data (e.g., fingerprints, voice prints, or retina scans) as well as combinations of information, such as user names and passwords, if the improper disclosure of such information could compromise an individual’s account.
Perhaps the biggest change under the SHIELD Act is the addition of Section 899-bb, which will require businesses that own or license computerized private information of New Yorkers to implement and maintain “reasonable safeguards” to protect that information. For entities required to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act, this may sound familiar, as federal regulations have required these industries to maintain reasonable security standards for years. In fact, entities that can demonstrate compliance with these laws or other New York State data security requirements, such as the New York Department of Finance cybersecurity regulations, will be deemed compliant for purposes of Section 899-bb. Entities that are not deemed compliant under other data-security rules must have a data-security program with administrative, technical and physical safeguards for computerized data in place by March 21, 2020. Small businesses have additional flexibility for developing their data-security programs based on their size, complexity and the sensitivity of the information they maintain. Small businesses are defined as those having fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets.
The SHIELD Act also brought about changes to reporting requirements for breaches of private information. Section 899-aa now includes an exception to the breach-notice requirement for inadvertent disclosures where the entity can demonstrate that exposure will not result in misuse of the information or financial or emotional harm to an individual. Such determinations must be documented by the entity and maintained for a period of five years. If an incident affects over 500 New Yorkers, the entity must provide its written determination to the New York State Attorney General within 10 days of making such a determination.
In the event a breach notice is required, it continues to be the case that the entity must provide notice to impacted New York residents as well as the New York State Attorney General, the State Police, and the Department of State’s Division of Consumer Protection. For breaches affecting more than 5,000 New Yorkers, notice is also required to consumer reporting agencies, as was the case prior to the SHIELD Act amendments. In addition, the attorney general must now receive notice of breaches that do not include “private information.” This raises the question whether entities must provide notice to the attorney general of breaches that do not involve computerized data. In addition, notices to individuals impacted by a breach must include contact information for state and federal agencies that provide information regarding security breach response and identity theft protection. Since this is not currently required for HIPAA breach notices to individuals, this is one area where health-care organizations may have to update their HIPAA breach-notification policies and templates.
Failure to comply with Sections 899-aa and 899-bb may be costly. While individuals do not have a right to bring a claim in court under this law, the attorney general may bring an action against an entity in the name of impacted New Yorkers. Knowing or reckless violations of the data-breach notification requirements could lead to civil penalties of $5,000, or up to $20 per instance of failed notification, capped at $250,000. Failure to comply with the data-security program requirements could lead to civil penalties of $5,000 per violation, though it is unclear what would constitute a single violation. While the civil penalties are not new, the amounts have increased, just as we expect to be the case with enforcement efforts under New York’s breach law. The changes to the breach-notification law went into effect on October 23, 2019; however, businesses have until March 21, 2020, to meet the new data-security program requirements.
Mary M. Miner is a partner and Andriy Troyanovych is an associate at the Syracuse–based law firm of Hancock Estabrook, LLP. Contact Miner at firstname.lastname@example.org and contact Troyanovych at