New York Enacts Stricter Data Cybersecurity Laws

The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information.  On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies.  Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents.  Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.

The Stop Hacks and Improve Electronic Data Security Act

Effective on March 21, 2020, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) updates New York’s breach reporting law by broadening the definition of private information, expanding notification requirements, and requiring entities that handle private information to implement a data security program with “reasonable” administrative, technical and physical safeguards.

The SHIELD Act’s reach extends further than New York State; the law applies to organizations that collect the private information of New York residents, “regardless of whether the person or business conducts business in New York.”  The law broadens the definition of “private information” which sets forth the information elements that, if breached, could trigger a notification obligation.  Under the new law, private information encompasses the definition of personal information under the 2005 Breach Notification Act, as well as three additional categories of information—namely, financial account numbers without additional identifying access code “if circumstances exist wherein such number could be used to access” the account, biometric data, and user name or email address in combination with a password or security Q&A that would permit access to an online account.

Prior to the enactment of the SHIELD Act, a “breach of the security of the system” was defined as “unauthorized acquisition or acquisition without valid authorization of computerized data the compromises the security, confidentiality, or integrity of personal information maintained by a business.”  Now, the notification obligation is triggered for breaches where there is “unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data…”  In addition to adding an “access” trigger, the SHIELD Act now contains a risk of harm threshold for breach notification for “inadvertent disclosures”: notice to affected residents is not required if the person or business “reasonably determines such exposure [of private information] will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials[.]”  In such case, the determination to not notify must be documented in writing and maintained for at least five years.

Furthermore, although entities that already comply (and provide notice to impacted data subjects of an incident) in accordance with the breach notification requirements under certain state or federal laws (such as the Health Insurance Portability and Accountability Act (HIPAA), the New York Department of Financial Services cybersecurity regulations (23 N.Y.C.R.R. Part 500), and the Gramm-Leach-Bliley Act (GLBA)) are not required to notify affected New York residents, such entities must still notify the state attorney general, department of state and division of state police of the breach. However, if an entity experiences a HIPAA breach that it must report to HHS, then it must provide notice to New York Attorney General even if it would not otherwise be a reportable breach under New York law.

The SHIELD Act also adds a new data security requirement for companies to adopt reasonable safeguards to protect state residents’ data.  To define “reasonable” safeguards, the statute provides examples of administrative, technical and physical safeguards. For instance, reasonable administrative safeguards include when a person or business “designates one or more employees to coordinate the security program” and “trains and manages employees in the security program practices and procedures”; reasonable technical safeguards include when a person or business “regularly tests and monitors the effectiveness of key controls, systems and procedures”; and technical safeguards include when a person or business “disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”  All companies subject to the New York law should review the “reasonable security requirement[s]” specified in detail in section 4 of the SHIELD Act and consider documenting their implementation of these standards:

Reasonable security requirement.

(a) Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.

(b) A person or business shall be deemed to be in compliance with paragraph (a) of this subdivision if it either:

(i) is a compliant regulated entity as defined in subdivision one of this section; or

(ii) implements a data security program that includes the following:

(A) reasonable administrative safeguards such as the following, in which the person or business:

(1) designates one or more employees to coordinate the security program;

(2) identifies reasonably foreseeable internal and external risks;

(3) assesses the sufficiency of safeguards in place to control the identified risks;

(4) trains and manages employees in the security program practices and procedures;

(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and

(6) adjusts the security program in light of business changes or new circumstances; and

(B) reasonable technical safeguards such as the following, in which the person or business:

(1) assesses risks in network and software design;

(2) assesses risks in information processing, transmission and storage;

(3) detects, prevents and responds to attacks or system failures; and

(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and

(C) reasonable physical safeguards such as the following, in which the person or business:

(1) assesses risks of information storage and disposal;

(2) detects, prevents and responds to intrusions;

(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Similar to the recently enacted Ohio privacy legislation, entities in compliance with data security frameworks under certain federal and state laws are considered in compliance with the data security requirements under the SHIELD Act.  The Act provides that a person or business is a “compliant regulated entity” if it complies with the security requirements of GLBA, HIPAA, Part 500, or “any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government …”  Unlike the Ohio law, however, the New York law does not provide an express “affirmative defense” against state tort actions for entities with compliant information security programs.

Moreover, unlike the contemplated New York Privacy Act, the SHIELD Act does not provide a private right of action.  Instead, the state attorney general may enforce the law by bringing actions to enjoin violations and obtain civil penalties.  However, potential litigants may still allege negligence claims in relation to data breaches and use the unfairness or deceptive prongs of the state’s “little FTC Act.,” codified at N.Y. Gen. Bus. Law §349.  Significantly, the new law states that violations of the “reasonable security requirement[s]” of the SHIELD Act are violations of §349.  However, the Act’s express statement that “nothing in the section [concerning reasonable security requirements] shall create a private right of action,” is likely to be the basis of arguments in data security litigation that the new law vitiates the private right of action otherwise provided in §349(h).

The Identity Theft Prevention and Mitigation Services Act

Spurred by Equifax’s 2017 data breach, the New York legislature also passed the Identity Theft Prevention and Mitigating Services Act.  Effective sixty days after Governor Cuomo signed the bill into law on July 25, 2019, the law requires credit reporting agencies facing a breach that involves Social Security numbers to provide five years of identity theft prevention and mitigation services to affected consumers.  The law also allows affected New York residents to freeze their credit, free of charge.

More State Privacy and Cybersecurity Legal Developments on the Horizon

The two NY laws detailed above show that, despite slow progress in Congress on omnibus federal privacy legislation, state regulators continue to push their own privacy and cybersecurity initiatives forward.  And while New York has passed two measures already, more privacy laws may yet be forthcoming.  Omnibus legislation may reappear, and New York City council members introduced legislation this month that could bar telecommunication companies from sharing customers’ location data if it is within the city’s five boroughs.  As states like New York toughen their privacy laws, organizations should carefully review the data they collect and assess which states’ laws apply, with a mind to the legislative and regulatory trends nation-wide, as well as continue to develop robust data protection programs with built in safeguards to protect consumer information.