A Limited Shield of Privacy for New York Residents

By: Steve Masur

New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”) into law on July 25, 2019, nearly two years after the bill was originally proposed. The SHIELD Act amends New York’s General Business Law to reflect the data privacy needs of its residents. The Act implements additional security parameters for entities that own or license private information of New York residents. Additionally, the Act broadens the definitions of “private information” and “breach” to better protect New York residents against the unauthorized access of personal data. 

Reasonable Data Security Requirements

New York joins a growing list of states that have enacted more modern data privacy laws.  The Act requires businesses that own or license the private information of New York residents to have  “reasonable” technical, physical, and administrative safeguards in place in order to protect the security, confidentiality, and integrity of the residents’ private information. This replaces the old standard by which New York residents and entities were only protected if business was conducted within the State of New York. The Act offers several examples of measures that can be implemented to ensure compliance with the necessary safeguards such as training of management and employees in cybersecurity practices, regular monitoring, testing and upgrades to address key controls and systems, and disposal of private information in a timely fashion. Small businesses, however, need only “reasonable administrative, technical, and physical safeguards” that are tailored to the size of the business, the “nature and scope” of the business’ activities, and the sensitivity of the personal data the business holds.  

Private Information under the SHIELD Act

Another key feature of the Act is the wider scope of the definitions of “private information” and “data breach.” Under the Act, “private information” now includes biometric information, financial information (such as account numbers or credit or debit card numbers), and usernames or e-mail addresses in combination with password or security questions. While this is an improvement from the past definitions, it still falls behind the definitions provided in the privacy laws of other states, which include medical information and certain health insurance identifiers in the definitions. Further absent from the new definitions are personal identifiers such as consumers’ health insurance information and passport numbers

Breach of the Security System and Penalties under the SHIELD Act

The Act also updates what is considered a “breach of the security in a system.” Mere access to such privileged information now constitutes a breach, a change from the old standard that only restricted the acquisition of private information. While the SHIELD Act does implement stronger penalties for data system breaches, it does not entitle residents to a private right of action. Instead, the Act allows the New York State Attorney General to have broader oversight in bringing actions and obtaining civil penalties on behalf of residents. The new penalty for knowingly and recklessly violating the Act is a $20.00 fine for each instance of a failed notification, with a cap of $250,000. The Act further implements penalties for certain violations to the new data security standards, which can reach up to $5,000 per violation with no cap. It is unclear what constitutes a “violation” under the Act.