On August, 1, 2019, New York Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act” a/k/a the SHIELD Act, rendering it officially effective as of March 2020 in New York. Although we have previously provided a basic overview of the statute, given that it is slated to take effect in just a few months and will fundamentally expand the legal landscape of New York cybersecurity law, a brief refresher is in order.
The SHIELD Act expands on New York’s existing statute governing cybersecurity protections for its residents, codified at New York General Business Law § 899-aa. The SHIELD Act is particularly significant because it changes the legal definition of what constitutes a “data breach” to include unauthorized access to private information on any data system, regardless of whether any such private information is actually stolen.
The SHIELD Act further expands the definition of “private information” to encompass biometric data, such as fingerprints, retinal scanning data, or any other “electronic measurements of an individual’s unique physical characteristics” as well as individuals’ usernames, email addresses, passwords and security questions and answers which can provide access to online accounts.
The legislation requires: “Any person or business which [conducts business in New York state, and which] owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, ACCESSED OR acquired by a person without valid authorization.” This is particularly noteworthy, since the legislation applies not only to New York State entities but to any businesses and other entities that store the private information of New York State residents. Additionally, the SHIELD Act further updates the notification procedures following a data breach so that the breach must be disclosed to affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Further, the legislation requires businesses and other entities which digitally store the personal information of New York State residents to implement reasonable data security safeguard requirements, including designating cybersecurity personnel and implementing adequate controls for the protection of personal data, employee training concerning cybersecurity policies, practices and procedures.
The SHIELD Act imposes fines of $5,000 per violation, or $20 per notification failure with a limit of $250,000 per breach.
We will continue to report on New York’s new law, including its legal implications for covered businesses.