New SHIELD Act provisions take effect in March
The amendments to the SHIELD Act broaden the law’s reach, applying to any company that collects personal information of NY residents.
An amendment to New York’s data breach notification law, the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), will take effect on March 21, 2020. The amendment to the SHIELD Act creates stricter data security over confidential personal information and breach notification requirements to protect New Yorkers following a breach.
The amendments to the SHIELD Act broaden the law’s reach applying to any company that collects personal information of New York residents, even if the company does not conduct business within the state of New York. The information protected under the SHIELD Act includes Social Security numbers, drivers’ license numbers, credit or debit card numbers, financial account numbers with or without security codes, biometric information, email addresses, email passwords, and email security questions and answers.
The amendments also broaden the definition of “breach,” which is newly defined as requiring only unauthorized access to confidential information to constitute a breach, even if the accessor fails to take or use the information obtained. Once a breach occurs, companies must notify consumers “immediately following discovery.” Notice to consumers must include:
… contact information for the person or business making the notification, the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and a description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so accessed or acquired.
There are two exceptions to the SHIELD Act’s notification requirement: (1) when the breach was inadvertent by someone who had authority to access the information and reasonably determines that the exposure will not likely result in misuse or harm; or (2) if notice of the breach is made to affected persons through another breach notification law, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996.
To prevent breaches from occurring, the amendments to the SHIELD Act also require companies that own or license computerized data containing private information to “develop, implement and maintain reasonable safeguards.” Businesses can comply with this requirement upon implementation of a data security program that includes any of the following:
- Reasonable administrative safeguards, such as: designating an employee to coordinate the security program; identifying reasonably foreseeable internal and external risks; assessing the sufficiency of safeguards in place to control the identified risks; training and managing employees in the security program and practices; and adjusting the security program in light of business changes or new circumstances
- Reasonable technical safeguards, such as: assessing risks in network and software design; assessing risks in information processing, transmission and storage; detecting, preventing and responding to attacks or system failures; regularly testing and monitoring the effectiveness of key controls, systems and procedures
- Reasonable physical safeguards, such as: assessing risks of information storage and disposal; detecting, preventing and responding to intrusions; protecting against unauthorized access; and disposing of private information within a reasonable time after it is no longer needed for business purposes.
The SHIELD Act limits liability to actions brought by the Attorney General. Civil damages in the event of a knowing or reckless violation of the SHIELD Act can amount to the greater of $5,000 or up to $20 dollars per instance of failed notification, not to exceed $250,000.
The New York Privacy Act
The passage of the SHIELD Act last year came after the introduction of SB-5642, known as the “New York Privacy Act” (NYPA). Currently pending before New York’s Senate Consumer Protection Committee, the NYPA, if passed, would arguably become the strictest data privacy law in the country.
While the NYPA is largely based on the California Consumer Privacy Act (CCPA), it contains some notable distinctions. Unlike the CCPA, the NYPA would apply to all companies that conduct business in the state or produce products or services that intentionally target New York residents. This would be broader than the applicability of the CCPA and much of the privacy legislation pending in other states that base applicability upon annual revenue.
A unique provision of the NYPA is its requirement that companies act as “data fiduciaries” when collecting New York residents’ personal data. To be in compliance with this section of the NYPA, companies must “act in the best interests of the consumer, without regard to the interests of the entity … in a manner expected by a reasonable consumer under the circumstances.” In this capacity, companies must reasonably secure personal information from unauthorized access and promptly inform consumers in the event of a breach. Further, companies must safeguard against “privacy risks,” or “potential adverse consequences to consumers and society arising from the processing of personal data,” that could result in the following harm to consumers:
direct or indirect financial loss or economic harm; psychological harm, such as anxiety, embarrassment, fear and other demonstrable mental trauma; significant inconvenience; adverse effect relating to a person’s eligibility for rights, benefits or privileges in employment, credit and insurance, housing, education, professional certification or the provision of health care services; stigmatization or reputational harm; disruption and intrusion from unwanted commercial communications; price discrimination; effects that are reasonably foreseeable to the company; and other adverse consequences that effect an individual’s private life.
Additionally, data fiduciaries under the NYPA cannot use personal information to the detriment of the consumer or in a way that would foreseeably and materially harm or be highly offensive to a reasonable consumer. “Materially harm” and “highly offensive to a reasonable consumer” are undefined currently. It will be interesting to see if and how lawmakers decide to define these terms.
Another distinct feature of the NYPA is the requirement that consumers “opt-in” to the collection of their personal data. Absent clear consent, companies may not use, process or transfer a consumer’s personal information. The concept of consumers “opting-in” is consistent with the European Union’s General Data Protection Regulation (GDPR), rather than the CCPA, which requires consumers to “opt-out” of having their data collected.
Similar to the GDPR and CCPA, the NYPA provides consumers with numerous rights, such as the right of consumers to access their personal data; request a correction of their personal information; request a company to complete incomplete personal information; request a deletion of their personal information; and request a company to stop processing personal information.
The Attorney General can bring an action on behalf of the state of New York to seek redress against companies who fail to comply with the NYPA. Additionally, consumers have a private right of action and can pursue either an injunction or actual damages for NYPA violations. Unlike the CCPA, whose limits provide consumers with statutory damages per violation without needing to show how a breach of the CCPA actually damaged the individual consumer, the NYPA awards damages to consumers only if actual damages can be proven, likely making it more difficult for consumers to sustain a cause of action.
The takeaway
Privacy is now an important part of conducting business every day. As more states consider and implement privacy legislation, companies should examine what information they collect; why the information is collected; who has access to the information; how the information is protected from unauthorized access; and whether the company is prepared in the event of a breach. These considerations are important and necessary steps to ensure compliance with existing laws and to be fully prepared for compliance with laws that are pending legislation but coming soon. Companies that fail to take action and ignore compliance risk government enforcement, class action lawsuits, damage to its reputation, financial consequences, and loss of customers.
Related:
- Anticipating the first NYDFS cybersecurity enforcement actions
- New York enacts new data security requirements
- Data privacy: Building compliant and adaptable systems
Christopher A. Iacono is a partner of Pietragallo Gordon Alfano Bosick & Raspanti, where he practices in the cybersecurity and privacy, government enforcement, compliance, and white-collar litigation, and commercial litigation groups. Gabrielle I. Weiss is an associate in the firm’s cybersecurity and privacy and employment and labor groups.