New York state’s first comprehensive cybersecurity law, the SHIELD Act, was signed into law by Governor Andrew Cuomo on July 25, 2019.
As we wrote when the Legislature passed the Act in June, the SHIELD Act (an acronym for “Stop Hacks and Improve Electronic Data Security”) comprises a revision to the state’s breach notification provisions. It also includes prescriptive cybersecurity regulations for entities, wherever situated, that access “private information” of New York residents. “Small businesses,” defined as those with fewer than fifty employees, less than three million dollars in gross revenue in each of the last fiscal years or less than five million dollars in year-end total assets, are exempt from these cybersecurity provisions. However, they must still implement “reasonable safeguards” that are appropriate for the “nature and scope” of the small business’ activities.
Ambiguities and questions may create work for lawyers and consultants for quite some time. Protected “private information” includes usernames and email addresses when combined with a password or security questions that permit access to an “online account.” “Online account” is not defined, and it is not clear if all accounts, including those that do not comprise other elements of “private information” like Social Security Numbers or financial account information, are within the scope of this definition. here is no need to notify individuals if the breach of the protected information was “inadvertent” and the business or person responsible for the breach “reasonably determines” that the breach is not likely to result in “misuse of that information or financial harm” to affected individuals. This determination must be documented, but there is no right to sue for violation of the Act’s provisions and so the question of how and when such documentation would be reviewed, given the resources of the Office of the Attorney General, remains open.
If you have questions or concerns regarding the scope of the new Act and compliance with its provisions, please contact Kenneth N. Rashbaum.