Updates to New York State’s Breach Notification Law Head to Governor’s Desk

Privacy and Data Security

On June 17, the New York State Senate passed S5575B, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act to amend the state’s breach notification law, N.Y. Gen. Bus. Law § 899-aa. New York now joins the growing number of states revamping their breach notification and data security laws by broadening the scope of protected information and requiring businesses to implement reasonable security controls.1

Among the new categories of “private information” that may trigger notification are:

  • Biometric information, including a fingerprint or retina image;
  • Credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account; and
  • User names or email addresses together with passwords or security questions and answers that could permit access to an online account.

Other key changes include:

  • Expanding the definition of a breach to include the unauthorized access to private information in addition to unauthorized acquisition of private information. Access may include viewing, copying or downloading private information.
  • Requiring businesses that own or license New York residents’ private information to implement “reasonable safeguards” to protect the security of the information.
  • Creating an exception to breach notification obligations where exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the private information and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons. While this creates a new exception, the inclusion of undefined emotional harm may in effect make it more limited than in other states.
  • Exempting notification obligations where the notifying business has also made notification pursuant to certain other federal or New York regulation, including those promulgated under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the New York Division of Financial Services (NYDFS) Cybersecurity Regulation, or by other state departments or agencies.
  • Expanding from two years to three years the period of time in which the New York attorney general may bring an action against a business for violations of the act.

Compliance with the new “reasonable safeguards” standard may have significant impact to businesses maintaining private information of New York residents. The SHIELD Act sets forth a list of administrative, technical and physical safeguards that businesses may be required to implement through an information security program. These safeguards include (i) designating one or more employees to implement the security program, (ii) training and managing employees in security program practices, (iii) regular testing and monitoring of the effectiveness of key company controls and systems, and (iv) disposing of private information within a reasonable time after the information is no longer needed.

The SHIELD Act permits a “small business” to tailor its information security program as appropriate for the business’ size, the nature of the business’s activities and the sensitivity of the private information maintained, but the practical effect of that standard remains to be seen. Businesses not meeting the definition of a small business may still be deemed compliant if they comply with certain other data security requirements, such as those found under GLBA, HIPAA or the NYDFS Cybersecurity Regulation.

Notably, the SHIELD Act was passed following the introduction of S5642, the New York Privacy Act, in the New York State Senate on May 9. The New York Privacy Act, a comprehensive data privacy bill, has quickly drawn comparisons to the California Consumer Privacy Act (CCPA). While the nascent New York Privacy Act could ultimately have a greater impact on entities conducting business in New York, the SHIELD Act will likely have a more immediate effect on businesses and consumers. Assuming the Governor signs the bill into law, the act will take effect 90 days thereafter.

Full text of the bill can be found here.

Why it matters: Companies doing business in New York that maintain private information of New York residents should carefully review their cybersecurity policies and procedures and make any necessary adjustments to their incident response plans in the event of a data breach. Additionally, companies should ensure that their information security programs comply with the SHIELD Act’s required data security safeguards. Finally, companies would be well advised to continue to monitor the developments of the New York Privacy Act as it makes its way through the New York State Legislature. Manatt’s privacy and data security team will continue to update and advise you about important developments in this space.

1 New York joins states such as Arkansas (expanding its definition of personal information under its breach notification statute to include biometric information, effective July 2019), Colorado (amending its breach notification statute to require businesses to implement reasonable security procedures, already in effect), Louisiana (expanding its definition of personal information under its breach notification statute to include biometric information, already in effect), New Jersey (expanding its definition of personal information under its breach notification statute to include email addresses and online user names, effective September 2019) and Texas (amending its breach notification statute to include a notification timeline to consumers and the state attorney general, effective January 2020).