The New York SHIELD Act: Wide-Ranging Data Protection but with Significant Exemptions
The New York Legislature passed the state’s first comprehensive cybersecurity law, the SHIELD Act, on June 17, 2019. It is awaiting review and perhaps approval by Governor Andrew Cuomo. Whether it is groundbreaking can be debated but if signed, as expected, it will certainly have an impact on businesses that access personal information of New York residents.
The SHIELD Act (an acronym for “Stop Hacks and Improve Electronic Data Security”) comprises two significant changes to data protection in New York: a revision to the state’s breach notification provisions, and prescriptive cybersecurity regulations for entities, wherever situated, that access “private information” of New York residents (except for “small businesses, defined as those with fewer than fifty employees, less than three million dollars in gross revenue in each of the last fiscal years or less than five million dollars in year-end total assets”).
The Act expands the scope of the state’s breach notification statute, General Business Law § 899-aa in a number of ways. It adds biometric information (fingerprint, facial recognition image, iris scan, etc.) and user name or email address in combination with a password or security question as categories. It also adds “access” to protected information within the definition of breach.
But what the Act gives in protection with one hand it takes away with the other. Notice of breach to affected persons is not required if the disclosure was inadvertent and not likely to result “in misuse of such information or financial harm or emotional harm in the case of unknown disclosure of online credentials,” but the determination of the risk of such harm is left to the individual or business who caused the disclosure. How objective this person or business may be in assessing such risk is debatable. The Act does require that such a determination be documented and, in the case of an incident affecting more than five hundred New York residents, that it be provided to the Attorney General within ten days of the determination.
The Act adds cybersecurity provisions to the General Business Law in a new section, 899-bb. Businesses that are subject to and in compliance with HIPAA, Title V Gramm-Leach-Bliley Act or “other data security rules and regulation of any division of the state or federal government,” are not required to meet these new standards. In addition, there is no private right of action for violation of the security standards. Enforcement is left to the Office of the Attorney General.
The cybersecurity provisions resemble, but are less prescriptive than, the cybersecurity regulations applicable to organizations supervised by the New York Department of Financial Services under 23 NYCRR Part 500. Required safeguards include a written cybersecurity program; cyber risk assessments; data minimization; cybersecurity due diligence of third-party providers that have access to protected information; and “security program practices and procedures” training for the work force. “Small businesses” are required to adopt “reasonable administrative, technical and physical safeguards” that are appropriate for the business. But small businesses certainly don’t get a free pass, in that one of the criteria for determining whether the security program is appropriate is “sensitivity of the personal information.” The issue that will loom largest for these businesses, then, is meeting customer requirements that they meet the Act’s standards if the business accesses sensitive personal information such as healthcare data.
The Act is due to become effective two hundred forty days after it is signed into law.
If you have questions regarding your compliance responsibilities under the Act, please contact Kenneth N. Rashbaum