New York Increases Breach Notification and Security Responsibilities

New York State has enacted S5575, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). This new law amends New York General Business Code 899-aa and adds Section 899-bb to significantly expand consumer privacy protections and the consequences of a data breach for businesses. The new law will go into effect on October 23, 2019.

New Definition of Private Information

Under current New York law, businesses must disclose a breach of “private information,” which was defined as any information that concerned a natural person that can be used to identify that natural person, such as name, number, personal mark, or other identifier (“personal information”), combined with certain other data elements as shown below. The SHIELD Act substantially broadens the definition of what constitutes a consumer’s private information to include personal information combined with other types of data elements as shown below:

"Private Information"	Prior New York Law	SHIELD Act
Social Security Number	X	X
Driver's License Number/State ID	X	X
Account Number, credit or debit card number (if the account can be accessed without additional information, security code, access code, or password)	X	X
Biometric Data (i.e. data generated by electronic measurements of an individual’s unique physical characteristics, such as fingerprints, voice prints, retina or iris images, used to authenticate or ascertain the individual’s identity		X
User Name/Email Address combined with a Password/Security Question Answer used to access an online account		X

Expanded definition of Breach of the Security of the System and New Breach Notification Requirements

The SHIELD Act also expands the definition of a “breach of the security of the system” to include both unauthorized access or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the confidentiality, security, or integrity of private data. Previously, unauthorized access or access without valid authorization was not considered a breach; only the unauthorized acquisition, or acquisition without valid authorization of private data was considered a “breach of the security of the system” that could trigger an obligation on the business to notify consumers of the breach.

Under the SHIELD Act, businesses will not be required to provide notice to individuals affected by a breach if the disclosure of private information was an inadvertent disclosure by someone authorized to access the information and the business reasonably determines that the disclosure is unlikely to result in either: (a) misuse of the information, (b) financial harm, or (c) in the case of a disclosure of online credentials, emotional harm. Businesses must document such determinations in writing and maintain the documentation for at least 5 years. Furthermore, if the breach involves more than 500 residents of New York, the business must provide the written determination that a notification is not necessary to the New York State Attorney General within 10 days after making the determination.

Furthermore, the new law provides businesses with an exclusion for notifying New York residents of a breach if notice is provided in accordance with the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA, as amended by the HITECH Act), or certain other federal or New York State laws, rules, or regulations.

The SHIELD Act also revises the methods by which business can notify individuals and the content of the notice. It maintains the preference for notification in writing, electronically, or by telephone. It also continues to permit substitute notice through email or conspicuous writing when appropriate. However, email notification is no longer permitted if an affected consumer’s access credentials (i.e. the consumer’s email address in combination with a password or security question and answer that would permit access to the online account) have been compromised. In such cases, businesses can provide clear and conspicuous notice to the consumer online when the consumer is connected to the online account from an IP address or from an online location that the business knows is customarily used by the consumer to access the online account. In addition to the previous requirements concerning content that must be included in breach notifications, breach notifications must now include the telephone number and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, which would include the FTC and possibly the New York State Attorney General.

Notice to the New York State Attorney General

The SHIELD Act requires that businesses provide the New York State Attorney General with a copy of the template of the notice sent to affected individuals. If notification is made to the U.S. Secretary of Health and Human Services pursuant to HIPAA or the HITECH Act, businesses will also need to notify the New York State Attorney General within 5 business days of notifying the secretary. These notices are in addition to the existing requirement to notify the division of state police as to the timing, content and distribution of the notices and the approximate number of people affected, and to notify consumer reporting agencies if notification is made to more than 5,000 residents in New York at one time.

New Requirements for Reasonable Security

The SHIELD Act also requires that businesses develop, implement, and maintain reasonable security safeguards to protect private information. Certain regulated businesses, such as businesses subject to the GLBA, HIPAA, or certain other federal or New York State laws, rules, or regulations, that are compliant with the security requirements in those regulations, are deemed compliant with the new security requirement.

Small businesses (those with less than 50 employees, less than $3,000,000 in gross annual revenue for the last 3 fiscal years, or those with less than $5,000,000 in total assets) are compliant if their security program contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the business, the nature and scope of the business’ activities, and the sensitivity of the personal information involved.

For all other businesses, a business will be deemed to have developed, implemented, and maintained reasonable security safeguards if it adopts a data security program that contains the following elements:

reasonable administrative safeguards such as the following, in which the person or business:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal and external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business changes or new circumstances; and

reasonable technical safeguards such as the following, in which the person or business:
- assesses risks in network and software design;
- assesses risks in information processing, transmission and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures; and

reasonable physical safeguards such as the following, in which the person or business:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Penalties for Violations

The consequences for failure to notify affected persons in the event of a breach can be severe. Upon evidence that the breach notification requirements have been violated, the New York Attorney General may bring an enforcement action for up to 3 years after the earlier of either the date on which the Attorney General became aware of the violation or the date that notice was sent to affected persons pursuant to the law. If a court finds that a business failed to satisfy the requirements of the law, the court may award actual costs or losses, including consequential financial losses, for all affected persons. If a business is found to have knowingly or recklessly violated the law, the court may impose the greater of either five thousand dollars or twenty dollars per instance of failed notification, for a maximum penalty of up to two hundred fifty thousand dollars. Courts interpreting similar laws have often applied this “per instance” language such that each individual a business fails to notify is a deemed a separate instance, which may add up quickly.

A failure to develop, implement, and maintain reasonable security measures is considered deceptive business practice, and the Attorney General can bring an action and seek an injunction and/or civil penalties of up to $5,000 for each violation.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.