Bill Amends Existing Law to Expand Consumer Rights and Enhance Cybersecurity
On June 17, 2019, the New York Legislature approved a substantial revision of New York state’s data security and breach notification requirements under the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The bill now awaits Governor Cuomo’s signature and, if signed, will substantially impact efforts by public and private organizations to contend with breach incidents and comply with data security requirements across industries.
The SHIELD Act (the “Act”) would apply to any person or entity that processes the personal information of a New York state resident, even if such person or entity is located outside of the state. Given the size, population, and extensive business and financial influence of New York state, the Act will have national impact. With the Act, New York joins a growing list of activist states that are enacting new laws to address privacy and cybersecurity concerns.
Data Breach Implications
The Act would amend New York’s data breach law (GBL §899-AA and §899-bb) in several key areas. Specifically, the Act broadens the definition of “private information” to include biometric data, account numbers, username/email address with password or security question and answer, and unsecured “protected health information” under HIPAA. The SHIELD Act expands the definition of “data breach” to include unauthorizedaccessto private information instead of the current standard of unauthorizedacquisition. Additionally, as referenced above, the Act applies outside of its geographic boundaries. Taken together, these amendments raise the bar for companies that experience data breaches involving New York state residents by expanding their notification obligations.
There’s also some good news for business. The Act provides that inadvertent disclosures by individuals authorized to access the private information do not trigger notification requirements if the exposure will not likely result in misuse or in financial or emotional harm to the affected individuals. This “harm threshold” may operate to exempt very minor breaches from the Act.
The Act notably applies a reasonableness standard for evaluating data security standards, and carves out asde factoreasonable those entities that can demonstrate compliance with selected federal and state data security frameworks, including GLBA and HIPAA as well as other New York state data security regulations, such as the Department of Financial Services Cybersecurity Regulation. If, for example, a company meets the notification requirements of those frameworks, no further notification would be required under the Act, with the caveat that entities would still have to provide notice to New York authorities. As approved by the Legislature, the Act includes an interesting placeholder for future federal and New York state data security regulations, likely in anticipation of ongoing legislation at all levels. In a nod to small business, the Act defines “reasonable” data security in light of the size of the covered entity, and provides a suggested but not mandated road map for implementing safeguards.