I. Amendment to New York State Breach Notification Statute
With the passage of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which amended the 2005 breach notification statute (N.Y. Gen. Bus. Law § 899-aa) and goes into effect on March 21, 2020, New York broadened the scope of its breach notification statute by requiring businesses that own or license a New York resident’s private information to (1) provide notification to such resident, irrespective of whether the company conducts business in the state; (2) include (a) biometric data “generated by electronic measurements of an individual's unique physical characteristics…, which are used to authenticate or ascertain the individual’s identity” and (b) email addresses with associated passwords or security question that would permit access to an online account as additional data elements to the definition of “private information;” (3) require breach notification to New York residents when there is an unauthorized access of private information and (4) establish safeguards to protect sensitive data by mandating that “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information…”
II. Broadening the Definition of “Private Information”
Under the 2005 breach notification statute “personal information,” defined as “any information concerning a natural person…” became “private information” when such information was used in combination with an individual’s unencrypted social security number, driver’s license number or non-driver ID card or “account number and account number, credit or debit card number, in combination with any required security code that would permit access to an individual's financial accounts.” The amendment keeps the definition of “personal information” but includes the three new data elements: biometric information, email addresses and account number, credit or debit card number to access such accounts without the need for any additional identifying information. Consequently, personal information, in combination with any one of the foregoing three new data elements also will transform the information into private information. The broadening of the definition generally reflects a recognition of technological advances that could expose a natural person’s personal information if accessed or acquired without authorization and therefore trigger the breach notification requirements under the Act.
III. Broadening the Definition of what Constitutes a Data Breach
The Act also broadens the definition of a data breach to include unauthorized access, whereas under the 2005 law the definition was generally restricted to the unauthorized acquisition of private information. To determine whether unencrypted private information has been acquired or is reasonably believed to have been acquired, generally, if the information was not in the possession of an unauthorized person; had not been downloaded or copied or was not used to open fraudulent accounts, the breach notification requirements might not have been triggered. While the Act still applies to the unauthorized acquisition of private information, as noted, the breach notification triggering mechanism under the Act has been broadened to include unauthorized access. Under the Act, a business can determine whether information has been accessed by considering whether there are indications that “the information was viewed, communicated with, used or altered by a personal without valid authorization or by an unauthorized person.” As unauthorized access includes the mere viewing of information (as opposed to taking possession of), it is anticipated that the number of data breaches will significantly increase, resulting in a similar corresponding increase in breach notifications to affected individuals. While the Act requires notification to affected individuals “in the most expedient time possible and without unreasonable delay,” it does create an exception from the reporting requirements for those incidents where “the exposure of private information was inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm...” In addition, notification is generally not required if notification is made in accordance with the requirements of the other applicable federal and state statutes and regulations discussed below.
IV. Requirement for Businesses to Implement Safeguards to Protect Private Information
A. Compliant Regulated Entities
As noted, the Act also requires businesses to implement reasonable safeguards to protect private information. In requiring businesses to protect private information, the Act provides that a “Compliant Regulated Entity” that is subject to and in compliance with the data security requirements under (i) the Gramm-Leach-Bliley Act, (ii) regulations implementing the Health Insurance Portability and Accountability Act and the Department of Financial Services Cybersecurity Regulation (Part 500) and any other statutes or regulations administered by the federal and state government and their respective agencies shall be deemed in compliance with the Act’s requirement to implement safeguards to protect private information. All other business under the Act fall into one of two categories: small businesses and everyone else.
B. Small Businesses
The Act defines a small business as “any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.”
If a business qualifies as a small business under the Act, it is deemed to have complied with the data protection requirements if it implements a security program that contains “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.” In other words, the size, resources and nature of the small business informs the security program it is required to have in place.
C. Everyone Else
With respect to everyone else, i.e., the business is not a “Compliant Regulated Entity” or a small business, the Act generally provides that a person or business shall be deemed in compliance with the data protection requirements if it implements a data security program setting forth reasonable administrative, technical and physical safeguards that includes, among other enumerated items, (1) an individual responsible for coordinating its security program, (2) identifies internal and external risks, (3) risk assessments, (4) employee training relative to its security program practices and procedures, (5) does business with services providers that are capable of mainlining appropriate safeguards and are required to do so by contract, (5) adjusting the security program in view of changes in the business or circumstances. As for technical standards, in addition to risk assessments, the security program is required to, among other things, detect, prevent and respond to attacks or system failures and regularly test and monitor key controls. The Act further lists physical safeguards that should be implemented, including, for example, the assessment of the risk of information storage and disposal, the ability to detect, prevent and respond to intrusions, protect “against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information” and “dispose of private information within a reasonable amount of time after it is no longer needed for business purposes…”
V. Remedies against Violators of the Act
In terms of redress and remedies against violators, the Act deems noncompliance to be a violation of Section 349 of the General Business Law (relating to deceptive business practices) and vests exclusive enforcement authority in the New York State Attorney General, authorizing the office to seek injunctive relief and impose civil penalties under another provision of the General Business Law. Importantly, the Act specifically provides that “nothing in this section shall create a private right of action.”
The requirement that “any person or business that owns or licenses computerized data which includes private information of a resident of New York” must implement safeguards to protect private information is a new statutory requirement for which all businesses will need to comply. As a threshold matter, for businesses, it will be important to determine what category they fall into: Compliant Regulated Entity; small business or everyone else. Once the category is identified, at a minimum, they need to implement the programs and policies applicable to their type of business to be deemed in compliance with the Act. In addition, businesses will need to incorporate into their data incident response plans the broader definition of “private information” that added three new data elements that may trigger the breach notification requirements, subject to any applicable exceptions. As such, all businesses should evaluate their existing data security programs and policies to determine what changes, if any, need to be made to comply with the Act by its effective date of March 21, 2020.
* The views, observations and any opinions expressed above are solely that of the authors and do not reflect the views, observations and opinions of Morrison Mahoney, LLP or its clients. This article is intended for general information purposes and is not intended to be and should not be taken as legal advice.