In November 2017, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was introduced in the New York State Assembly as an amendment to Sections 899 (aa) and 208 (a) of New York State’s breach notification law. The proposed bill is referred to as the New York Data Security Act. The intent of the act is to protect New Yorkers’ private information from an increasing number of data breaches by strengthening and updating New York’s current data security laws. This article provides an overview of the New York Data Security Act, key changes, handling a breach, and penalties for non-compliance.
It is important to note that the act states that its effective date is January 1, 2018; however, at the time of this article, the SHIELD Act (and proposed changes) is only a bill—it has not yet become a law. Companies that may be affected by the act should monitor the status of this bill.
Why the act was established
The bill was introduced after the release of New York Attorney General Eric T. Schneiderman’s report announcing that the Attorney General’s office received a record number of data breach notices in 2016—nearly a 60 percent increase over the previous year—and following the Equifax breach in September 2017. With the increase in recent breaches, New Yorkers’ information is at risk more than ever before.
Under the Act, any company that handles a New York resident’s private information—whether they do business in New York or not—would be required to implement and maintain certain reasonable administrative, technical, and physical safeguards. The proposed bill includes clear examples of safeguards under the new Section 899-BB Data Security Protections, including the implementation of a Data Security Program that includes all required safeguards. Examples of safeguards include, but are not limited to, the following:
- Designate one or more employees to coordinate the security program
- Identify reasonably foreseeable internal and external risks
- Train and manage employees in the security program’s practices and procedures
- Assess risks in network and software design
- Assess risks in information processing, transmission, and storage
- Detect, prevent, and respond to attacks or system failures
- Assess risks associated with information storage and disposal
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
It should be noted that these safeguards are dependent on the size and complexity of the company.
Key changes proposed by the act
There are multiple proposed changes, starting with the meaning of “private information”. Under the current law, private information is any personal information in combination with (1) a person’s Social Security number; (2) driver’s license number; or (3) account, credit, or debit card number, in combination with any required security code, access code, or password that would allow access to the account. The act revises the definition to include financial account numbers that can be used alone to access a financial account, as well as biometric data, as types of data that, when combined with personal information, may lead to that data being reclassified “private information.”
The act likewise states that additional types of data are considered private information when they are standing alone, i.e., in the absence of additional identifying personal information, which can include data points such as a username or email address, in combination with a password or security question, and answer that permits access to an online account; and unsecured protected health information covered by the federal Health Insurance Portability Accountability Act (HIPAA). Under both the current New York law and the proposed amendment, “personal information” is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
Some of the additional proposed changes include, but are not limited to, the following:
- A new section has been added that carves out “compliant regulated entities,” meaning that companies already regulated by and compliant with regulations of any federal or New York State government entity (including NYS DFS regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations; or ISO/NIST standards) will be deemed compliant with this law’s reasonable security requirement. To meet this, companies will be required to have such compliance certified annually by an independent third party and provide a copy of its certification of compliance to the Attorney General.
- The changes provide a more flexible standard for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets). Small businesses that implement and maintain reasonable safeguards that are appropriate to the size and complexity of the business to protect the security, confidentiality, and integrity of the private information shall be deemed compliant.
- The act broadens the requirements for reporting a breach to the Attorney General that include adding “access to” or the viewing of private information as a trigger for notification and additional data types (username and password combinations, biometric data, and HIPAA covered health data) requiring notification.
What to do if you’ve been breached
Under the current New York State Data Security Act, any known or suspected breach of private information that has been accessed or acquired by a person without valid authorization, or by an unauthorized person, is considered a reportable breach. If such an instance occurs to you or your business, it is imperative that proper notification to any New York State resident is disclosed as soon as possible without unreasonable delay. A reasonable delay may occur if the organization is determining the scope of the breach or restoring the integrity of the compromised system to a reasonable state.
Notices to affected parties are to include various details as required by the New York Data Security Act. First and foremost, the notice should include the type of private information that is either known or believed to have been compromised. Secondly, it should include the contact information for the person or business that is providing the notice. Lastly, the notice should include the phone number and website of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information. If more than 5,000 New York residents are to be notified at one time, the person or business shall notify consumer reporting agencies as to the timing, content, and distribution of the notices, and the approximate number of affected New York residents.
Disclosures of a breach of private information to affected New York residents should be made by written notice; however, under certain circumstances, electronic notices are an appropriate method of delivery. If the individual consents to receive electronic notice of a breach, electronic notice is appropriate. It should be noted that the New York Data Security Act specifies that a person or business cannot make consent to receive electronic notice of a breach of private information a requirement of establishing business. Additionally, if the person or business can prove that the cost of providing a non-electronic notice exceeds $250,000 or the number of individuals to be notified exceeds 5,000, an electronic notice is appropriate. Otherwise, unless the organization does not have the appropriate information to provide a written notice, electronic notices are not appropriate for disclosing a breach of private information.
Penalties for non-compliance
Outside of any legal ramifications that may be brought forward by New York residents as a result of a breach of their private information, the New York Data Security Act has established penalties for non-compliance. If the Attorney General believes that the person or business has deviated from the established guidelines of the New York Data Security Act, the Attorney General reserves the right to bring legal action in the name of and on behalf of the people of the state of New York. Additionally, the Court of Justice may award damages for actual costs or losses incurred by a person entitled to notice, including any consequential financial losses. Finally, if the person or business knowingly or recklessly violates the guidance detailed within the New York Data Security Act, the court may impose a penalty of the greater of $5,000 or up to $20 per instance, not to exceed $250,000.
If passed, the SHIELD Act is intended to help companies who have New York residents’ PII (not just companies located in New York) from a cyberattack. The act likewise details the steps required to safeguard and maintain compliance with the new, enhanced data security requirements.