SHIELD and Sword: New York's Far Reaching Statute Governing Data Breaches
It may be a while before law enforcement can devote attention to the broadened scope of data breach liability under the new NY SHIELD (Stop Hacks and Improve Electronic Data Security) Act. Then again, it might not.
May 08, 2020 at 02:20 PM
8 minute read
Important changes in New York's data privacy law took effect on March 21. But that was just two days after Gov. Andrew Cuomo declared the COVID-19 state of emergency, so you may not have been focusing closely on privacy law. If you didn't notice, however, rest assured you're not alone.
And it still may be a while before law enforcement can devote attention to the broadened scope of data breach liability under the new NY SHIELD (Stop Hacks and Improve Electronic Data Security) Act. Then again, it might not. Data protection regulators around the globe already are warning of increased risks to the security and privacy of personal information resulting from COVID-19 and increased remote work online, including fraud schemes and illicit sharing of health information. Even in the United States, the California Attorney General has announced that enforcement of that state's new Consumer Privacy Act (CCPA) will proceed on schedule beginning July 1, 2020 despite COVID-19. Fortunately, compliance with the NY SHIELD Act complements the CCPA and even the EU General Data Protection Regulation (GDPR) and so benefits business implementation of CCPA and/or GDPR.
|What the NY SHIELD Act Adds to California CCPA and EU GDPR Compliance
The NY SHIELD Act has significant similarities to the CCPA and GDPR, including its application to businesses that collect personal information regarding people living in the state, even when the business does not have offices there. And like the GDPR, small businesses are not exempt from the SHIELD Act. Like both the CCPA and GDPR, the SHIELD Act significantly expands the definition of protected "personal information" to include both "any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person" (emphasis added) and biometric information. General Business Law §899-AA(1)(b). The NY SHIELD Act also expands the definition of data breach to include unauthorized access to private information even when private information was not actually acquired, similar to the CCPA and GDPR. General Business Law §899-AA(3). As with the NY SHIELD Act, under the CCPA and the GDPR businesses have a duty to implement and maintain reasonable security practices and procedures appropriate to the risk presented by the personal information they process. However, unlike the NY SHIELD Act, the CCPA and GDPR do not specify what constitutes reasonable data security. Here's where the benefit of compliance with the NY SHIELD Act really provides value to a business' data privacy and security protection compliance program—by reducing the mystery of compliance and specifying at least some required components of an effective data security program allowing businesses to be better able to meet 'reasonable data security' for the CCPA and GDPR, as well as the NY SHIELD Act.
|Overview of the NY SHIELD Act
The New York SHIELD Act can be found at General Business Law §§899-AA and 899-BB. It requires owners and licensors of computerized data that includes private information concerning New York residents to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, the disposal of data." General Business Law §899-BB(2)(a). Entities already compliant with specified federal or state cybersecurity statutes or regulations also satisfy the SHIELD Act. Gramm-Leach-Bliley Act Title V; HIPPA regulations and the Health Information Technology for Economic and Clinical Health Act; New York State Department of Financial Services regulations, 23 NYCRR Part 500; and other federal or state data security requirements. (The last category could be a safe harbor for entities that are federal or state contractors.) Otherwise they must implement a three-part written data security program with both reasonable administrative and technical safeguards, as set out in the law, as well as reasonable physical safeguards, with examples provided in the statute.
Small businesses are not exempt but do get their own test: whether a security program "contains reasonable administrative, technical and physical safeguards that are appropriate for the size and scope of the business activities, and the sensitivity of the personal information the small business collects from or about customers." (Small business is defined in General Business Law §899-BB(1)(c) as (i) a person or business with fewer than 50 employees; (ii) less than $3 million in gross revenue for the last three fiscal years, or (iii) less than $5 million in year-end total assets. It is unclear from the face of the statute whether all three numbered provisions, or only (ii) and (iii), are meant to be disjunctive.) These definitions provide flexibility but the words "reasonable" and "appropriate" can be ambiguous.
|Required Notice
The part of the statute already in force before March 21st spelled out the five kinds of access-related information disclosures that are punishable under the law: (1) an account or card number, if that alone is sufficient to access an account; (2) if a password or similar security device is needed to access the account, then an account or card number in conjunction with the password or security code; (3) biometric information; (4) a user name or e-mail which, in conjunction with a password or security code, permits access to a financial account; and (5) HIPPA-related information. The law requires companies to provide notice to New Yorkers when information relating to them was revealed. If the data included information owned by or licensed from another party and private data was or reasonably is believed to have been accessed, that owner or licensor also must be notified of the disclosure "immediately following discovery."
If information relating to more than 500 New Yorkers was revealed, the law requires businesses to notify state officials within 10 days. If officials are not notified, the New York Attorney General can sue for injunctive relief and actual costs or losses incurred, including consequential damages. Finally, if the violation was knowing or reckless, the court also can award a civil fine of $5,000, or $20 per instance of failure to notify, whichever is greater, up to a ceiling of $250,000.
Importantly, the law's jurisdictional foundation is the disclosure of data "concerning" a New Yorker. As a result, the statute applies to data breaches occurring outside New York if data relating to a New York resident was disclosed. However, the SHIELD Act does not specifically create a private right of action for data disclosure. (These provisions already were in force. Some authors have suggested that monetary remedies under General Business Law §349 could apply. That would permit recovery of actual damages or $50, whichever is larger, with the potential for the court to boost the amount to three times actual damages, not to exceed $1,000, for willful and knowing violations, plus reasonable attorneys' fees. The authors suspect the SHIELD Act was intended to foreclose that option by addressing only actions by the Attorney General.)
No notice is required if the data exposure was accidental and resulted from an authorized user's access to the data, so long as the business "reasonably" determines that misuse of the information, or financial harm, or in some instances, emotional harm, is unlikely. That determination must be documented and kept on file for five years. The statute of limitations is three years from when affected persons were notified or when the Attorney General learned of the breach, whichever is earlier, and in any event, not more than six years. It is very dangerous to try to conceal a breach, because that can mean there is no limitations period.
Courts largely will be writing on a blank slate regarding the SHIELD Act. There are no regulations regarding the statute yet, and the statute does not require any state agency to create them. The repeated use of "reasonable" in General Business Law §899-BB suggests there will be an opportunity to raise and a need to resolve factual disputes as to what was "reasonable" in particular circumstances, with little guidance from the statute. Given the technical nature of the issue, and the likely fluidity of what is "reasonable" in a fast-changing technological field, expert testimony probably will figure prominently in any trial and in pre-trial dispositive motions. Given that courts likely will be writing on a blank slate, it may be wise for entities that later might need to establish the reasonableness of their conduct to follow applicable industry standards.
David Jacoby ([email protected]) and Linda Priebe ([email protected]) are partners at Culhane Meadows, PLLC, in its New York and Washington, D.C. offices, respectively. Mr. Jacoby is an adjunct professor of law at Fordham University School of Law. Ms. Priebe is a member of the International Association of Privacy Professionals and holds its CIPP/Europe certification.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Law Firms Mentioned
Trending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
