New York’s SHIELD Act Raises the Bar for Data Security, Data Breach Notifications

New York’s SHIELD Act Raises the Bar for Data Security, Data Breach Notifications

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

The State of New York recently enacted the Stop Hacks and Improve Electronic Data Security Act – dubbed the SHIELD Act – to expand the State’s existing requirements for data security and notifications of data breaches.

The SHIELD Act has added a number of protections for New York residents and has some key takeaways. First, the Act contains new requirements which outline how businesses must safeguard residents’ information. Second, the Act widens existing data definitions, including what may trigger a data breach notification as well as expanding the scope of who is covered under the Act.

Security Requirements

The SHIELD Act says, “Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” This scope would include any entities that have information on New York residents, regardless of whether the person or entity’s place of business is in the State.

One of the key provisions of the Act is the number of “reasonable” safeguards it requires. The SHIELD Act does not give any threshold or standard for “reasonable,” and insight will likely only be found when enforcements and court opinions come about encompassing this standard. The following outlines the areas that must be addressed:

  • Administrative: These include, without limitation, designating at least one employee to coordinate security, training and managing employees in security practices and procedures, and selecting service providers that can maintain appropriate safeguards and adjust the security program as necessary.
  • Technical: These include, without limitation, assessing network and software design risks; detecting, preventing and responding to attacks or system failures; and regular testing and monitoring of key systems and procedures.
  • Physical: These include, without limitation, assessing information storage and disposal risks; and protecting against unauthorized access to private information during or after the information is collected, transported and destroyed.

Small businesses will not be held to the exact same standards as larger companies, however. The SHIELD Act has a certain carveout for “small businesses” which are defined as any person or business with (i) fewer than 50 employees, (ii) less than $3 million in gross annual revenue in each of the past three fiscal years, or (iii) less than $5 million in year-end total assets[1]. These small businesses will be in compliance if they establish safeguards “that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” Again, no definition is given for what an “appropriate” safeguard would be.

[1]The figures in (ii) and (iii) are both calculated in accordance with U.S. GAAP.

New Information, Breach Definitions

The SHIELD Act maintains an existing definition of “personal information,” which is defined as “information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” However, it significantly expanded the definition of “private information” which includes:

(i) personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:

(1) social security number;

(2) driver’s license number or non-driver identification card number;

(3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other informationthat would permit access to an individual’s financial account;

(4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or

(5) biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or

(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

Notably, this does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.

The SHIELD Act also updates the definition of a data breach to include incidents in which private information was merely accessed, regardless of whether that information was taken from the company’s system.

New Requirements and Penalties for Data Breaches

Under the SHIELD Act, people or businesses, after being notified of or discovering a breach that involves private information of a New York resident, must disclose the breach “in the most expedient time possible.”

There are exceptions, however. Notice to affected persons isn’t required if private information was exposed inadvertently by people authorized to access it, and there’s a reasonable belief that the exposure will not result in misuse, financial harm or emotional harm. Likewise, it is not required if the business has already made proper notifications as required by other regulations, including the Gramm-Leach-Bliley Act, HIPAA, and HITECH.

Enforcement

Notably, there is no private right of action for violations of the SHIELD Act and, as such, class action will not be possible. Any enforcement will come from the New York Attorney General. The penalties will relate to two different classifications of penalties. The first, is for “knowingly and reckless” violations, which allows for either a civil penalty of the greater of (i) $5,000 penalty; or (ii) up to $20 per instance of failed notification with a cap at $250,000. For violations that are neither reckless or knowing, the penalty can include the actual cost or loss incurred by persons effected by the breach, including financial loss as the result of a breach. For violations of the reasonable standard, penalties may be up to $5,000 per violation.

Related Posts

Darren Mooney

Partner and Co-Head of Business Development

Darren Mooney is a Partner and the Co-Head of Business Development at Greyline. Before joining Greyline, Darren served as deputy chief compliance officer of Partner Fund Management where he held primary responsibility for the compliance program of the second-largest hedge fund in the Bay Area. Prior to that, Darren spent five years providing compliance consulting services at Cordium and then ACA Compliance Group, where he led the company’s San Francisco office and west coast operations. In addition to providing ongoing consulting services to a variety of investment managers, including hedge fund, private equity, venture capital, real estate, quantitative and other wealth managers, Darren also regularly guided clients through the SEC registration process, implemented tailored compliance programs, supported clients’ live SEC exams, and served as an SEC-mandated independent compliance consultant following an SEC enforcement action. Darren’s other experience includes serving as deputy chief compliance officer and associate counsel at F-Squared Investments where he directly supported the compliance program during the investigation and subsequent enforcement regarding historical advertising practices. Darren has a B.S. in Economics from the University of Delaware and a J.D. from Suffolk University Law School. He is a member of the Massachusetts bar.

Annie Kong

Partner and Head of Venture Capital
Annie Kong is a Partner and Head of the Venture Capital Division at Greyline. She provides ongoing compliance consulting to investment advisers and manages client relationships. Prior to joining Greyline, Annie was part of compliance and operations at a long-only manager-of-managers that advised pension fund clients. While there, she conducted compliance and operational due diligence on SEC-registered investment advisers on the platform. She also oversaw and counseled on various legal matters across the firm. Annie has a B.A. in Economics from the University of California, San Diego, and a J.D. from the University of San Diego School of Law. She is an active member of the State Bar of California.
Greyline is pleased to announce that we are the recipient of the 2021 HFM U.S. Service Award in the Best Technology Firm – Newcomer category.