Legislative Alert: New York Amends Its Data Breach Notification Law
New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, Senate Bill 5575B/Assembly Bill 5635B. The SHIELD Act updates the state’s existing data breach notification law, N.Y. Gen. Bus. Law § 899-aa, and creates a new section, § 899-bb, requiring reasonable data security for “private information” and granting enforcement powers to the attorney general against non-compliant entities.
The Act conforms New York’s data breach notification law to current technology by identifying additional data sets that fall within the definition of “personal information” as well as “private information,” expanding upon circumstances that give rise to a security “breach,” clarifying when a notification obligation is triggered and how notification may be accomplished. The Act also incorporates a number of practical changes designed to recognize and address applicability of the statute to interstate and cross-border business practices impacting upon New Yorkers. Such changes include an expansion of entities subject to the statute and acknowledging the multiple legal regimes with which entities must comply.
Definition of “Private Information”
The drafters of Section 899-aa define both “personal information” and “private information.” While “personal information” means any information that could be used to identify a natural person, “private information” means specific types of personal information identified in the statute.
The SHIELD Act focuses on protections for “private information,” and expands the definition to include (1) an account number, credit or debit card number, if the number could be used to access an individual’s financial account without additional identifying information, security code access code, or password, (2) biometric data, and (3) a username or email address and password or security question that would allow access to an online account.
This change follows similar expansions of the definition of “personal information” in other states, recognizing the increasing number of sources of sensitive personally identifiable information collected from consumers through facial-recognition and touch screen technologies , among others.
What Constitutes a Breach?
The SHIELD Act amends the definition of “breach of the security of the system” to include “access to,” in addition to “acquisition of,” private information. It provides businesses with factors to consider when evaluating whether improper access occurred. These include indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person. The Act also sets forth an important clarification that a breach involves access to or acquisition of “private information,” whereas it previously referred to “personal information."
When and How to Notify
The SHIELD Act removes the requirement that a person or business “conducts business in New York State” in order to trigger a notification obligation in the event of a breach. Now the law applies to any person or business which owns or licenses computerized data containing private information. New York did not previously authorize entities to contemplate “risk of harm” to affected New Yorkers when evaluating whether a security breach gave rise to a notification obligation. Significantly, and perhaps in recognition of practicalities associated with usage of current technology, The Act incorporates a risk of harm analysis, which must be documented. It allows a business to avoid notification if it reasonably determines that exposure of private information will not likely result in misuse of the information, or financial or emotional harm to the affected persons.
Acknowledging the numerous legal regimes now requiring notification of data breaches, the Act provides that additional consumer notification under the Act is not required if notice has been given pursuant to Gramm-Leach-Bliley (GLBA), Health Insurance Portability and Accountability Act (HIPAA), N.Y. Department of Financial Services Regulation 500 (Reg. 500), or other federal or New York State rules, regulations, or statutes. However, notice must still be provided to the New York Attorney General, Secretary of State, and State Police.
The SHIELD Act incorporates a number of other changes meant to clarify and refine its application. For instance, the Act increases the civil penalty for violations from $10 to $20 per instance with the cap increased from $150,000 to $250,000. The Act also extends the statute of limitation for enforcement actions from 2 to 3 years, but incorporates a statute of repose of 6 years from the date of discovery of the breach, unless the entity took steps to hide the breach.
New Section 899-bb
This new section requires any person or business that owns or licenses computerized data that includes the private information of New York residents to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. A person or business complies with the section if (1) it is a compliant regulated entity or (2) it implements a data security program as described by the statute. A “compliant regulated entity” is one that is subject to and in compliance with the data security requirements of GLBA, HIPAA, Reg. 500, or other federal or New York data security rules, regulations, or statutes.
The Act outlines the elements of a “data security program,” including reasonable administrative, technical, and physical safeguards, and includes special provisions applicable to businesses that qualify as a “small business.” The Act authorizes the Attorney General to bring an enforcement action against anyone failing to comply with this section but explicitly provides that the Act does not create a private right of action.