The SHIELD Act: NY’s Expanded Security Requirements and Data Breach Notification Law Asks More of Businesses (and not just those in New York)Print PDF
Earlier this month the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act") went into effect. The law, which was signed in July of last year by Governor Andrew Cuomo, makes several important changes to New York’s data security and breach notification regimes including requiring certain proactive security improvements and expanding NY’s data breach law. Although businesses may be well-positioned to comply with the SHIELD Act if they have taken steps to abide by other states’ laws, including Massachusetts’s stringent breach notification and security framework, they should still take heed of several important changes.
First, and most importantly for companies outside of New York, the law expands its reach to include any entity that owns or licenses the private information of New York residents. This change to the law, which previously only applied to companies conducting business in the state, will place many unsuspecting businesses in the SHIELD Act’s crosshairs. Companies engaged in e-commerce or that otherwise collect detailed user information online are encouraged to review their data security plans to ensure they adequately protect information collected from New York residents.
Second, the law broadens the categories of personal information that businesses must safeguard. The SHIELD Act defines “private information” to include Social Security numbers, driver’s license numbers, credit or debit card numbers, financial account information, biometric information, and online account credentials. This definition captures a greater variety of data than many other states’ laws and moves New York to the front of the pack for the breadth of information it protects.
Third, the SHIELD Act adds nuance to the types of security events that qualify as a breach and when they must be reported. A breach under the law has occurred where there is unauthorized access to or acquisition of computerized data that compromises the security confidentiality, or integrity of private information. This is a significant expansion of the definition from the previous regime, which defined a breach only as the unauthorized acquisition of computerized data. By adopting a more expansive definition—one that includes mere “access” in addition to “acquisition”—the legislature has cast a much wider net which will capture a greater number of incidents. For example, a classic ransomware attack, in which an attacker encrypts data onsite but doesn’t copy or view it, would probably not be covered by the prior statute but is likely within the definition of a breach under the SHIELD Act. The Act does, however, provide some additional discretion to companies that might mitigate this expansion, in that it allows businesses to consider whether there are signs that the information was viewed, communicated with, used, or altered when deciding if unauthorized access has occurred. This will require a careful, case-by-case analysis to determine whether a particular hacking incident included improper access.
The law also provides, like under the Health Insurance Portability and Accountability Act (HIPAA) and other breach reporting frameworks, for a risk-based exception to its reporting requirements in certain other cases. If an inadvertent disclosure of computerized data results in unauthorized access to private information that compromises its security, confidentiality, or integrity, notice to consumers is not required if the business reasonably determines the exposure will not likely result in misuse of the information, financial harm to the affected persons, or emotional harm from disclosure of online credentials. Notably, the law does not change the time required for notification—“in the most expedient time possible and without unreasonable delay.” Although these changes in the law are subtle, they will transform the way practitioners handle breaches involving the private information of New York residents going forward.
And fourth, the SHIELD Act requires companies to meet a three-pronged standard for protecting the private information of New York residents. To achieve compliance, organizations must implement a security program that includes reasonable administrative, technical, and physical safeguards—all categories defined under the law. That said, regulated organizations in compliance with the Gramm-Leach-Bliley Act, HIPAA, or the New York State’s Department of Financial Services cybersecurity regulations are considered to comply with the SHIELD Act. But if a company fails to implement appropriate measures under the law, the New York Attorney General is empowered to pursue injunctive relief or civil penalties.
New York’s SHIELD Act is the most recent example of a state reaching beyond its territorial borders to impose onerous administrative and breach-response-related requirements on companies that do business with its residents. As this trend continues, with more and more states passing increasingly complex data security laws, businesses should now, more than ever, review their information security programs to ensure compliance with the evolving regulatory landscape.
This advisory was prepared by Seth Berman, the leader of Nutter’s Privacy and Data Security practice group, and James Gately, an associate in the Business Litigation and Privacy and Data Security practice groups. For more information, please contact Seth, James, or your Nutter attorney at 617.439.2000.
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.