June 19, 2019The “Stop Hacks and Improve Electronic Data Security Act” a/k/a the SHIELD Act, which provides new and more comprehensive protections for New Yorkers' personal information and digital privacy, has been passed by both houses of the New York State Legislature and is now before Governor Cuomo for signature. The Shield Act seeks to expand on New York’s existing statute governing cybersecurity protections for its residents, codified at New York General Business Law § 899-aa.
The SHIELD Act is particularly significant because it changes the legal definition of what constitutes a “data breach” to include unauthorized access to private information on any data system, regardless of whether any such private information is actually stolen.
The SHIELD Act further expands the definition of “private information” to encompass biometric data, such as fingerprints, retinal scanning data, or any other “electronic measurements of an individual’s unique physical characteristics” as well as individuals’ usernames, email addresses, passwords and security questions and answers which can provide access to online accounts.
The legislation requires: “Any person or business which [conducts business in New York state, and which] owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, ACCESSED OR acquired by a person without valid authorization.” This is particularly noteworthy, since the legislation applies not only to New York State entities but to any businesses and other entities that store the private information of New York State residents. Additionally, the SHIELD Act further updates the notification procedures following a data breach so that the breach must be disclosed to affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Further, the legislation requires businesses and other entities which digitally store the personal information of New York State residents to implement reasonable data security safeguard requirements, including designating cybersecurity personnel and implementing adequate controls for the protection of personal data, employee training concerning cybersecurity policies, practices and procedures.
If enacted, the SHIELD Act will impose fines of $5,000 per violation, or $20 per notification failure with a limit of $250,000 per breach.
For any questions concerning the potential impact the SHIELD Act may have on you or your business, please contact Scott Watnik or Michael T. Contos at Wilk Auslander LLP.