• New York has expanded its data breach notification requirements to broaden the definition of personal information, outline data security requirements, and update breach notification guidelines. New York will now require all businesses holding a New York resident’s personal information to maintain “reasonable security” to protect that data — “reasonable” being defined both as a general standard and via a list of specific protections businesses should follow, such as identifying reasonably foreseeable risks, assessing the sufficiency of safeguards in place to control risk, training employees in security program practices, testing and monitoring the effectiveness of key controls, systems, and procedures, and disposing of private information within a reasonable amount of time after it is no longer needed.
• Because the new requirements apply to all businesses holding New York residents’ data, not just those based in New York, the requirements will have broad applicability and — along with the California Consumer Privacy Act, coming into effect at the start of 2020 — will represent a continuing shift towards mandating that businesses take specific steps to safeguard consumers’ personal information.

New York Governor Andrew Cuomo has signed into law a set of amendments to New York’s data breach notification law that expands the definition of personal information, outlines “reasonable” data security safeguards that businesses holding New Yorkers’ data must implement, and provides that credit reporting agencies must guarantee identity theft protections if their systems are breached.

The Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) expands the definition of personal information and, most significantly, creates new substantive cybersecurity requirements. The SHIELD Act’s amendments to the existing data breach notification law requirements take effect on October 23, 2019; the effective date for the new data security requirements is March 21, 2020.

What are the new data security requirements? For regulated entities already required to comply with another cybersecurity legal regime — defined as either the federal Gramm-Leach-Bliley Act (“GLBA”), the federal healthcare standards (“HIPAA/HITECH”), the New York Department of Financial Services’ Cybersecurity Regulation (“DFS Part 500”), or any other data security rules and regulations promulgated by the federal or New York State government — compliance with that regime is a safe harbor, meaning the entity is deemed compliant with New York’s new “reasonableness” standard.

For everyone else, the SHIELD Act requires any person or business that owns or licenses the computerized personal information of any New York resident to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.”

The SHIELD Act does not map out a complete definition of what “reasonable” security means. Rather, like California and the dozen or so other states that have written a reasonableness requirement into their cybersecurity laws, New York apparently intends for this to be an evolving standard without rigid definitions. The bar likely will get higher over time as threat vectors evolve, and as the collective sense of what is an objectively appropriate cybersecurity program evolves to match.

That said, the SHIELD Act does set out a partial roadmap of what a business will need to do, including:

Implement reasonable administrative safeguards, such as conducting a cybersecurity risk assessment, designating an employee responsible for cybersecurity, continuously updating its risk assessment and necessary security measures, and training for all employees on the security program.

Implement reasonable technical safeguards sufficient to identify and assess risks to network security and data processing or storage, and regularly test and monitor the technical security of the system.

Implement reasonable physical safeguards that protect against unauthorized access, detect and respond to intrusions, and ensure the safe and timely disposal of data that is no longer needed for business purposes.

A “small business” — one with fewer than 50 employees, less than $3 million in annual revenue, or less than $5 million in assets — is permitted to implement a cybersecurity program that is reasonable for the size and complexity of the business, but is still subject to the reasonable security requirement.

The SHIELD Act does not create a private right of action, but does authorize enforcement proceedings by the New York Attorney General under New York’s basic consumer protection statute, section 349 of the General Business Law — for any covered person or entity found to have failed to implement reasonable cybersecurity. By the plain terms of the SHIELD Act, it appears that a lack of “reasonable” security is actionable by the state attorney general with or without a data breach. The state attorney general is empowered under Section 349 to seek injunctive relief and may obtain civil penalties under Section 350(d).

What are the updates to data breach notification requirements?

• An “account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account without additional identifying information, security code, access code, or password;”
• “Biometric information,” “such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity;” and
• “[A] user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”

How can businesses satisfy the notification requirement?

When would notification not be required?

• If the incident affects more than 500 residents of New York and such a determination was made, the person or business must provide the written determination to the Attorney General within ten days.

Governor Cuomo also signed the Identity Theft Prevention and Mitigation Services Act, which outlines requirements for credit reporting agencies following a breach. The Act takes effect on September 23, 2019, and applies to breaches of credit reporting agencies that occurred within the three years prior to the Act’s effective date.

What protections must be offered?

If a credit reporting agency experiences a security breach which includes social security numbers, the agency is required to offer reasonable identity theft prevention services to individuals affected by the breach

If applicable, the agency should also provide free identity theft mitigation services for up to five years.

Are there any exceptions?

Yes, the agency does not have to provide identity theft prevention or mitigation services if it determines that the breach is unlikely to result in harm to consumers.

Our Cybersecurity and Data Privacy Team would be pleased to discuss these issues with our clients and friends.

Please do not hesitate to contact us with any questions.