New York’s Newly-Enacted SHIELD Act May Prove To Be Sword To Unprepared Businesses
New York’s Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) took effect on March 21, 2020. The Act expands existing state breach notification requirements and imposes specific data security protections for covered businesses that own or license the private information of New York residents, regardless of whether those businesses are based in New York. The Act also broadens the definition of “private information” to include new types and combinations of data.
The Act introduces several key changes.
The SHIELD Act Broadly Imposes Security Safeguards
The SHIELD Act requires “any person or business that owns or licenses computerized data which includes the private information of a resident of New York [to] develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, disposal of data.” The Act’s reasonable security requirement is indicative of a trend by an increasing number of jurisdictions to impose affirmative information security standards on private businesses.
Even though the Act provides some examples of “reasonable” administrative, technical, and physical safeguards, the burden is ultimately on a particular business to determine appropriate planning and conduct under each category. The Act appears to require, at a minimum, any business owning or licensing the data of a New York Resident to develop, implement, and maintain a reasonable data disposal policy.
Companies already in compliance with the information security requirements of certain regulatory bodies, e.g., the Gramm-Leach-Bliley Act (“GLBA”) or the Health Insurance Portability and Accountability Act (“HIPAA”), are deemed to be compliant under the SHIELD Act’s reasonable security requirement.
The SHIELD Act Expressly Regulates Small Businesses
Small businesses, defined under the SHIELD Act as businesses with fewer than fifty employees, less than three million dollars in revenue in each of the last three years, or less than five million dollars in year-end total assets, must also develop reasonable safeguards if they own or license the private information of a resident of New York.
However, the Act allows small businesses to respectively tailor their information security programs to account for the size and complexity of their business activities in light of the sensitivity of their data handling practices.
The SHIELD Act Expands “Breach” To Include Unauthorized Access, Not Just Acquisition
The SHIELD Act imposes various disclosure requirements—a process that must be undertaken without “unreasonable delay”—on businesses that experience a breach involving the private information of a New York resident.
The Act defines a “breach of the security of [a] system” as the unauthorized access to or acquisition of computerized data that compromises the integrity of private information. This is a departure from the treatment of “security breach” in New York’s previous data breach law, which required the “unauthorized acquisition” of computerized data that compromises the integrity of private information. Therefore, a business may have SHIELD Act notification obligations even if the subject private information was merely accessed, as opposed to exfiltrated, by a third-party.
Notably, the Act provides guidance for businesses to determine whether private information has been accessed, thereby arguably implicitly requiring businesses to implement safeguards to allow for such determinations to be made in the first place.
A business that may otherwise be obligated to engage in a SHIELD Act breach notification process should take extra care to determine whether one of the Act’s detailed notification exceptions applies to the specific data incident at hand.
The SHIELD Act Expands Definition of “Private Information” To Include Biometric Information
At a time when many states and municipalities currently are grappling with legislation to regulate the use of biometrics and facial recognition, the SHIELD Act has amended the definition of “private information” to include this information. The definition is arguably broader than the definition of biometric information contained in the Illinois Biometric Information Privacy Act (“BIPA”).
A business of any size that handles the private information of New York residents may have legal obligations under the SHIELD Act. While the Act expressly does not provide a private right of action, violators are subject to enforcement action by the New York State Attorney General.
The SHIELD Act adds to a growing set of laws and frameworks counseling that reasonable administrative, technical, and physical information security controls are pillars of any robust information security program. The SHIELD Act provides businesses with a compelling reason to reassess their incident response programs and information security policies to best allow for their responsible leveraging of data and minimization of cyber liabilities.