Last summer, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act’s data breach notification requirements are already effective and the law’s data security requirements go into effect on March 21. Any company that does business in New York or has customers in New York needs to understand what the law requires.

New York, like many other states, has a data breach notification law that requires businesses to notify consumers when a breach occurs. The SHIELD Act goes further than New York’s previous law, both in its definition of what type of information is covered and in reaching companies that may not have any connection to New York except for having information about New York residents in their database. The SHIELD Act:

  • Expanded the scope of information subject to New York’s previous data breach notification law. Previously, the law covered “personal information,” meaning information which, because of name, number, personal mark, or other identifier, can be used to identify a person. The scope of information has been expanded to include what the law now calls “private information,” which also includes biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA.
  • Broadened the definition of a data breach to include unauthorized access to private information. Previously, information had to be “acquired” in order for a data breach to occur, now only “access” is necessary. In determining whether information has been “accessed” without valid authorization, businesses may consider, among other factors, indications that the information was viewed, communicated with, used, or altered.
  • Updated the notification procedures companies must follow when there has been a breach. Importantly, the law applies the notification requirement to any person or entity with the private information of a New York resident, not just to persons or entities that conduct business in New York. Notice is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of the information. If a determination that notice is not required is made, the determination must be documented in writing and maintained for at least five years, and if the incident affects over five hundred residents of New York, the written determination must be provided to the state attorney general.
  • Requires businesses to enact “reasonable” security practices. The law creates data security requirements tailored to the size of a business. For instance, a small business (based on revenues and number of employees) will be deemed to have reasonable security practices in place if its security program “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” Businesses that are not small businesses must implement a data security program that includes reasonable administrative safeguards (including risk identification and assessment, employee training, and monitoring), reasonable technical safeguards, and reasonable physical safeguards. A business that is subject to and meets the data security requirements of other federal or New York laws that include cybersecurity protections (including HIPAA-HITECH and Gramm-Leach-Bliley) is deemed to have met the data security requirements of the SHIELD Act.

Like the EU’s General Data Protection Regulation (GDPR) and like the California Consumer Privacy Act (CCPA), the SHIELD Act has extraterritorial effect—if you have private data of a New York resident, you have to comply with the law. Given the size of the state of New York, companies that do business on any but the most hyperlocal level need to evaluate whether they must comply.