New York's SHIELD Act: How Much Will Your Inadvertence Cost You?
A business should carefully consider whether and how the inadvertent disclosure exemption applies and think through potential litigation risks before invoking the exemption.
May 08, 2020 at 02:40 PM
8 minute read
Data breaches and identify theft are threats that consumers and businesses must protect themselves from and react to more commonly than either would like. This article: (1) outlines the requirements and procedures for companies to invoke the inadvertent disclosure exemption of the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and (2) explains the potential litigation scrutiny that can follow invoking this exception.
On July 25, 2019, Gov. Andrew Cuomo signed the SHIELD Act into law, which made several significant changes to New York's data breach notification statute, New York General Business Law (GBL) §899-aa. See S.5575B/A.5635. The changes, include, among others: (1) adding an exemption to the individual notice requirement for "inadvertent disclosure," GBL §899-aa(2)(a); (2) broadening the definition of "breach" to encompass "access" in addition to acquisition when it "is reasonably believed" that the "information was viewed, communicated with, used, or altered," id. §899-aa(1)(c); (3) broadening the legal definition of "private information" (that is subject to a breach notice and data security requirement) to also include "account number, credit or debit card number … without additional identifying information, security code, access code, or password," biometric information, and "a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account," id. §899-aa(1)(b); (4) imposing additional "reasonable" data security requirements on businesses, which requires the implementation of a statutorily compliant data security program for companies not otherwise regulated, id. §899-bb(2); and (5) expanding the geographical scope of the statute to cover any company that "owns or licenses computerized data which includes private information of a resident of New York," id. §899-bb(2). The changes to the notification requirements took effect Oct. 23, 2019, and the data security requirements took effect on March 21, 2020.
Before the SHIELD Act, New York required a business to provide breach notice regardless of whether individuals were at a risk of harm. Avoiding notice in risk-free situations is attractive in light of the costs related to notifiable data breaches. A 2019 study estimates that the average cost to a U.S. business from "inadvertent breaches from human error and system glitches" is approximately $3.25-$3.5 million. Ponemon Institute, Cost of a Data Breach Report (2019), at p. 7, 35. However, businesses should consider the limitations of this exemption and whether invoking the exemption unjustifiably could expose the business to costly litigation risk in the long run.
|The Inadvertent Disclosure Exemption
To qualify for the "inadvertent disclosure" exemption, a business must "reasonably" determine that all of the following applies:
- that the exposure was "inadvertent,"
- disclosed by someone who was "authorized to access private information," and
- that the exposure is "not likely" to result in any of the following: (a) misuse of the information, (b) financial harm, or (c) emotional harm to affected individuals.
GBL §899-aa(2)(a). The business must document its determination in writing and maintain that documentation for five years. Id. And, if the breach involved more than 500 New York residents, the business must provide its determination to the New York Attorney General within ten days of it being made. Id.
The SHIELD Act, however, does not define "inadvertent," and New York courts have not interpreted this phrase in the data breach context generally. So businesses will need to make their own determination as to the meaning of the term. The phrase "inadvertent disclosure" is used in analogous contexts, such as when evaluating the potential for waiver of the attorney-client privilege. Courts have generally noted that "[i]nadvertent disclosures are, by definition, unintentional acts." New Bank of New England v. Marine Midland Realty, 138 F.R.D. 479, 482 (E.D. Va. 1991). And, courts have referred to Black's Law Dictionary, which defines "inadvertence" as "an accidental oversight; a result of carelessness" and "inadvertent disclosure" as "[t]he accidental revelation of confidential information, as by sending it to a wrong e-mail address or by negligently allowing another person to overhear a conversation." Inadvertence, Inadvertent Disclosure, Black's Law Dictionary (11th ed. 2019); see also Adelman v. Coastal Select Insurance Co., No. 17-cv-3356-DCN, 2019 WL 465600, at *4 (D.S.C. Feb. 6, 2019) (referring to inadvertence); Leblanc v. Texas Brine Co., No. 12-2059, 2019 WL 5265063, at *7 (E.D. La. Oct. 17, 2019) (referring to inadvertent disclosure). Inadvertent disclosures most likely include, by way of example, accidentally transmitting "private information" to the wrong email address, leaving behind an unencrypted laptop or other personal device, or accidentally exposing the information to others (for example, through sharing a screen on an online video-conference).
|Could the Use of the 'Inadvertent Disclosure' Exemption Expose a Business to Greater Litigation Risk?
Before invoking the inadvertent disclosure exemption, a business should consider carefully whether the disclosure was inadvertent, whether it involved someone authorized to access the data, and whether it is unlikely to create a risk of harm. If the business decides to rely on the exception, it should document its conclusions clearly in writing. While there is no private right of action under New York's data breach notification act, an inappropriate decision to use the inadvertent disclosure exemption could negatively affect follow-on litigation and increase a business' overall litigation risk from the breach. See Abdale v. North Shore Long Island Jewish Health System, 19 N.Y.S.3d 850, 858 (N.Y. Sup. Ct. 2015) ("[N]o private right of action exists with respect to General Business Law §899-aa").
As with all breach investigations, businesses should consider that they are creating a potential record that may or may not be discoverable in follow-on litigation or regulatory actions. Litigation, for example, can arise in any of the following scenarios as a result of an incident:
- litigation against a vendor or individual involved in the exposure;
- a data breach class action;
- for public companies, a securities class action; or
- a derivative action against the company's board of directors.
Businesses should consider involving litigation counsel when the incident is first identified as part of the team to assist with risk assessments and advise on whether it is appropriate to invoke the inadvertent disclosure exemption. Depending on the facts of a particular situation, the risks associated with invoking the exemption may outweigh the benefits of avoiding individual notification. The costs simply of sending notification are low; they constitute only a portion of approximately 5% of the overall cost of a data breach to a business. Ponemon Institute, Cost of a Data Breach Report (2019), at 35. On the other hand, the cost of defending data breach litigation can be expensive, particularly if a company is forced to defend a questionable invocation of the inadvertent disclosure exemption as part of its overall narrative about the data breach and the company's response thereto.
From a litigation risk perspective, we highlight three considerations. First, a business' determination that a disclosure was "inadvertent" could be subject to attack because inadvertent is not defined in these circumstances and the business will be held to a standard of reasonableness. A company's decision can have unintended consequences in follow-on litigation if it is a close call, including, but not limited to, being painted by plaintiff's counsel as "covering up" a breach or plaintiff's counsel arguing that a business improperly failed to notify individuals, which caused them further harm or prevented them from taking steps to protect themselves.
Second, where a business decides that the individuals affected are "not likely" to be harmed (financially or emotionally) or the information misused, but later an individual is ultimately harmed, there is a risk that a plaintiff's counsel will use the benefit of hindsight to claim that the business made an unreasonable (or even intentional or reckless) determination and denied that individual notice of the breach, which prevented him or her from taking mitigating steps.
Third, the business' rationale for invoking the inadvertent disclosure exemption must be in writing and retained for five years. Plaintiffs' counsel are likely to seek this record explaining the determination; while it should be privileged, plaintiffs will likely challenge privilege assertions. Regardless, the record could lock the business into its litigation position on both the cause of the breach and the potential harm to customers and make it harder to pivot or adapt to information learned after the determination was made or to changed circumstances. Moreover, plaintiffs' counsel will attack the thoroughness and reasoning of the business' decision.
In summary, a business should carefully consider whether and how the inadvertent disclosure exemption applies and think through potential litigation risks before invoking the exemption.
Keara Gordon is co-chair of DLA Piper's class action litigation practice group. Jim Halpert is a partner in the litigation, arbitration and investigations and cybersecurity groups. Colleen Carey Gulliver is a partner in the litigation, arbitration and investigations group. Caroline Fish is an associate in the litigation, arbitration and investigations group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Law Firms Mentioned
Trending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
