The New York SHIELD Act,[1] officially titled the Stop Hacks and Improve Electronic Data Security Act, amends New York’s existing data breach notification law in several significant ways and adds a number of data security protection requirements. The amended data breach notification obligations went into effect on Oct. 23, 2019, with the data security requirements going into effect on Mar. 21, 2020. Though consumers do not have a private right of action[2] to enforce its mandates, the SHIELD Act is enforceable by the New York Attorney General.

Amendments to New York Breach Notification Obligations

Unauthorized Access. The SHIELD Act expands the existing breach notification obligation to require any person or business which owns or licenses computerized data that includes private information to provide notice for any breach to any New York resident whose private information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. The previous New York law applied only to data that was acquired by an unauthorized person. The Act contains a list of non-exclusive factors to consider in determining whether information has been accessed, including indications that the information was viewed, communicated with, used or altered by a person without valid authorization or by an unauthorized person.

Private information. The definition of “private information” is expanded to include biometric information; username/email address in combination with a password or security questions and answers; and an account number or credit/debit card number, even without a security code, access code or password, if the account could be accessed without such information. The full definition of “private information” includes:

1. Social Security number.
2. Driver’s license or state ID card number.
3. Account, credit card or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account.
4. Account, credit card or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password.
5. Biometric information.
6. Username or email address combined with a password or security question and answer that would permit access to an online account.

Expanded Territorial Scope. The SHIELD Act applies the breach notification requirements to any person or business that owns or licenses private information of a New York resident. This scope is broader than the original statute, which applied only to entities that conduct business in New York.

Attorney General Enforcement. If the New York Attorney General believes notice was not provided in compliance with the requirements of the SHIELD Act, the Attorney General may bring an action for injunctive relief and civil monetary damages for actual costs or losses incurred by individuals who should have been notified. If a court determines a person or business knowingly or recklessly failed to comply, the court may impose a penalty of the greater of $5,000 or up to $20 per instance of failed notice (not to exceed $250,000).

Reasonable Data Security Protection Requirements

The SHIELD Act further mandates that “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” While the SHIELD Act does not set out specific requirements for persons or businesses to implement, a person or business is provided two options to be deemed compliant:

1. A person or business is compliant with the SHIELD Act if it is already subject to and in compliance with preexisting data security requirements regulated by the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) or the New York Division of Financial Services (NYDFS). This option generally applies to financial institutions, healthcare providers and insurance professionals already in compliance with GLBA, HIPAA and NYDFS data security regulations.
2. For the remainder of the private sector, a person or business is required to implement a data security program that includes the following:

• Reasonable administrative safeguards. The person or business should designate an employee to coordinate the program; identify reasonably foreseeable internal and external risks; assess the adequacy of existing measures; train and manage employees in the security program; select service providers capable of maintaining safeguards and require those safeguards by contract; and adjust the security program in light of business changes or new circumstances.
• Reasonable technical safeguards. The person or business should assess risks of network and software design; assess risks in information handling; and detect, prevent and respond to attacks or system failures.
• Reasonable physical safeguards. The person or business should assess risks of information storage and disposal; detect, prevent and respond to intrusions; guard against unauthorized access to private information; and dispose of information within a reasonable amount of time after it is no longer needed so that the information cannot be read or reconstructed.

Any person or business that owns or licenses the private information of a New York resident and fails to comply with the SHIELD Act’s data security protection requirements may be subject to a court-imposed civil penalty of not more than $5,000 per violation in an action brought by the New York Attorney General on behalf of the people of the state of New York.

[1] N.Y. Gen. Bus. Law § 899-aa & § 899-bb (McKinney 2020), located at https://www.nysenate.gov/legislation/laws/GBS/899-AA and https://www.nysenate.gov/legislation/laws/GBS/899-BB.

[2] California’s data breach notification law does include a private right of action. For further discussion, see https://www.dataprivacymonitor.com/ccpa/words-matter-interpreting-the-ccpas-private-right-of-action-provision/. Also, a growing number of states are looking to add a private right of action. See, e.g., https://www.dataprivacymonitor.com/state-legislation/the-washington-privacy-act-is-back/.