In the continued absence of a mandatory federal data privacy regulation, states are taking the lead to implement regulations for their residents. The California Consumer Privacy Act (“CCPA”) has been top of mind for many businesses, but organizations of all sizes and types should become familiar with New York’s recently enacted data privacy law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act became effective on March 21, 2020 and its goal is to strengthen protection for New York residents against data breaches affecting their private information. The SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements so that in some ways, it is more broad-reaching than the CCPA. For information regarding breach issues related to the SHIELD Act, click here.
Is my business covered by the SHIELD Act?
The SHIELD Act applies to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York. This is extremely broad and does not include CCPA’s requirements based on levels of revenue or data inventory. Importantly, the obligation to provide notification of a data breach extends to businesses outside of New York, provided that they own or license New York resident data. This means that an organization doesn’t even need to conduct business in New York to be subject to the Act!
What financial penalties does the SHIELD Act impose?
The SHIELD Act stopped short of authorizing a private right of action like CCPA does, but the New York Attorney General may file suit for violations of the law and obtain civil penalties as follows:
1) For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses;
2) For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000; or
3) For reasonable safeguard requirement violations, a court may impose penalties of not more than $5,000 per violation.
Are there any exceptions for small businesses?
Not really. The breach notification rule applies to all businesses. However, the SHIELD Act’s data security obligations include some relief for small businesses, which are organizations with
• fewer than 50 employees;
• less than $3,000,000 in gross annual revenue in each of the last three fiscal years; or
• less than $5,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles.
Even if your business falls below these thresholds, you still need to maintain a security program, and that program needs to be “reasonable” based on the size and complexity of your business, your business activities, and the type of information you collect about consumers.
What are “reasonable” data security requirements?
As with the notification requirements, the SHIELD Act requires any person or business that owns or licenses computerized data that includes private information of a resident of New York to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.
The SHIELD Act does not mandate specific safeguards, but it provides several examples of practices that are considered reasonable administrative, technical and physical safeguards. These examples suggest the kinds of safeguards businesses should be adopting, but they are not the only safeguards companies should be adopting:
• Determine and assign individual(s) responsible for security programs;
• Develop and implement a risk assessment process that considers internal and external risks and assesses the sufficiency of safeguards in place to control those risks; and
• Train and manage employees in data security program practices and procedures.
• Determine risks to information storage and transfer;
• Detect, deter, and respond to disturbances; and
• Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal.
• Evaluate risks in network and software systems;
• Evaluate risks in data processing, transfer, and storage;
• Detect, deter, and respond to system attacks; and
• Frequently test and monitor the effectiveness of controls and processes.
Depending on the size and scope of your organization, there are a number of other considerations for compliance, and engaging a trusted advisor to assist will likely prove to be a prudent practice.
What is “Private Information” under the SHIELD Act?
Many jurisdictions use the term “personal information” to define protected data, but the SHIELD Act uses the term “private information” in its legislation, which is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person”, as well as:
1. Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
• social security number;
• driver’s license number or non-driver identification card number;
• account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
• account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
• biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or
2. a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Similar to the CCPA, private information excludes publicly available information that is lawfully made available to the general public from federal, state, or local government records.
How does the SHIELD Act apply to employee data?
The SHIELD Act likely applies to employees. The term “personal information,” upon which private information is largely based, means any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person. Employees are natural persons and, if they are New York residents, likely will be protected by the SHIELD Act.
What rights do New York residents have under the SHIELD Act?
Unlike the CCPA and certain other laws, the SHIELD Act does not (at present) create affirmative rights for New York residents. Under the CCPA, for example, consumers residing in California have the right to request that businesses subject to the law delete their personal information. There is no such right under the SHIELD Act, although efforts are currently occurring (such as Senate Bill 5642) which propose similar data rights for New York residents.
Do New York residents have a private right of action under the SHIELD Act?
The SHIELD Act does not create a private right of action. This means that if a New York resident thinks an organization subject to the SHIELD Act failed to comply with the law’s data protection requirements and caused the individual harm as a result, that individual could not sue the business under the SHIELD Act.
This is different from the CCPA, which provides a private right of action and damages for California residents if a data breach or misuse is caused by the lack of reasonable safeguards, even if there were no actual harm.
What’s next for the SHIELD Act?
The SHIELD Act effects businesses that holds private information of a New York resident, regardless of whether the organization does business in New York. The SHIELD Act also shows how seriously New York is taking privacy and data security issues. Organizations everywhere should be assessing their needs and implementing appropriate protocols in order to comply.