Changes are Coming to New York’s Data Breach Notification and Security Requirements

New York recently enacted important changes to its data breach notification requirements (Breach Requirements) and created a statutory obligation to maintain reasonable data security (Security Requirements).  Under the new law, known as the SHIELD Act, the Breach Requirements become effective on October 23, 2019, while the Security Requirements become effective on March 21, 2020.  Here’s a helpful summary of some of the important (new) aspects of the SHIELD Act:

Breach Requirements

Access vs. Acquisition.  The SHIELD Act will no longer require unauthorized “acquisition” of data as a threshold matter, but will instead only require unauthorized “access” to data.

Private Information Expands.  The SHIELD Act adds new data elements to the list of those constituting “private information” that could trigger a notification requirement in the event of a breach.  The additional data elements include:

  1. account number or credit/debit card number if they can be used to access a financial account without any additional identifying information, security or access code, or password;
  2. biometric information; and
  3. a user name or email along with a password or security question and answer that would permit access to an online account.

According to the statute, each of the first two data elements listed above will only constitute “private information” if combined with “personal information” (which is basically any information about a person that can be used to identify the person).  However, the third data element listed above will constitute “private information” on its own.

Conducting Business in NY – Not Required. Under the SHIELD Act, application of the law will no longer depend upon whether the data owner or licensee “conducts business” in New York.  The key will be whether the person or entity has private information of a New York resident.

Limited Individual Notification Exception.  The new law will provide limited exceptions to the individual notification requirement (based on status of the disclosing person, type of disclosure, and a “risk of harm” analysis); however, the law will require notification to the attorney general where the incident affects more than 500 NY residents.  Additionally, the new law will not require additional notifications to individuals to whom notice is already being provided under certain other statutory or regulatory schemes (e.g., HIPAA and GLBA); however, notice will still be required to New York’s attorney general, department of state and division of state police. Finally, any covered entity required to notify the Secretary of Health and Human Services pursuant to HIPAA will also be required to notify the New York attorney general (even if the breached information is not “private information” under the SHIELD Act).

No Notice by Email in Certain Cases.  Notification via email will remain an option under the SHIELD Act “except if the breached information includes an email address in combination with a password or security question and answer that would permit access to the online account,” in which case the statute provides alternative “online” notification options.

Security Requirements

Reasonable Safeguards.  The SHIELD Act will require any owner or licensee of data that includes “private information” of a New York resident to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the “private information” – including disposal of data.

Deemed Compliance.  Fortunately, the new law provides for “deemed compliance” for those who (i) implement a data security program that includes the administrative, technical and physical safeguards specified in the SHIELD Act, or (ii) are in compliance with other specified data security requirements applicable to them (e.g., regulations under HIPAA or GLBA), or (iii) qualify as a “small business” under the statute and implement a security program containing reasonable and appropriate administrative, technical and physical safeguards when taking into account size and complexity of the business, nature and scope of activities, and sensitivity of personal information collected.

Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team. If you have any questions about this post or any other information security issues, please reach out to Bobby or a member of the Cybersecurity and Technology Team