By: Tracey Lattimer
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which updates New York’s data breach notification law (as set out in the New York General Business Law and New York State Technology Law) and implements new data security requirements. On March 21, 2020, the SHIELD Act came into full effect.
The most significant changes introduced by the SHIELD Act include:
- The types of information that may trigger the data breach notification requirements have been expanded to include: (i) in combination with a personal identifier, an account number, credit or debit card number if such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password; (ii) in combination with a personal identifier, biometric information; and (iii) a user name or email address in combination with a password or security question and answer that would permit access to an online account. (See definition of “private information” within the Act.)
- The Act introduces new data security requirements. Any person or business that owns or licenses computerized data that includes private information of a New York resident must now develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity of the private information.” The Act also sets out “reasonable” administrative, technical and physical safeguards that should be included in a compliant data security program.
The amendments to the data breach notification requirements came into force on October 23, 2019. The new data security requirements came into force on March 21, 2020.
Under the Act, violations of the data breach notification requirements can attract a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, provided the latter amount shall not exceed $250,000 (an increase from the cap of $150,000 under the old law). Similarly, violations of the data security requirements can attract a civil penalty of not more than $5,000 per violation (as set out in § 350-D of the New York General Business Law).
In order to comply with the SHIELD Act, companies throughout the United States that process information relating to New York residents should review the information they collect and consider whether they need to update their data protection and breach notification policies and procedures. Such companies should also implement appropriate data security programs and safeguards as detailed in the Act.