New York’s SHIELD Act Clarifies Data Security ObligationsNovember 2019 | By: Kyle G. Kunst, Esq.| GDB 2019 Fall Newsletter
On July 25, Governor Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act,” (SHIELD Act), into law. The SHIELD Act amends existing New York law to clarify the steps a business must take when it suffers from a data breach. The SHIELD Act also created a brand new law, General Obligations Law “GOL” § 899-bb, that describes the security protocol that must be put in place to protect the “private information” of a New York resident.
“Private information” is defined as social security numbers, driver’s license numbers, financial information such as account numbers or passwords, biometric information including fingerprints, voice prints, retinal images or “digital representation of biometric data that are used to authenticate or ascertain the individual’s identity,” or information which may be used to access an email account.
Two Paths to Data Security ComplianceGOL § 899-bb creates two paths to data security compliance. First, any person or business is compliant under the SHIELD Act if it is also subject to and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, or any data security rules or regulations of New York or the federal government.
The second path to SHIELD Act compliance is implementation of the data security protocols listed in GOL § 899-bb. Some of those protocols include designating one or more employees to coordinate the security program, training and managing employees in the security program practices and procedures, regularly testing and monitoring the effectiveness of key controls, systems and procedures and detecting, preventing and responding to intrusions.
However, the SHIELD Act carves out an exception for a “small business,” which is any business “with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.” A small business is compliant if it implements a data security program which is reasonable for the nature and scope of that business and the sensitivity of the personal information that business collects.
Violation of the SHIELD Act’s data security requirements subject the non-compliant person or entity to civil penalties. Though the SHIELD Act expressly disclaims any right to private action under that statute, courts applying New York law have permitted private actions against companies for data breaches based upon other legal theories.
Companies that purchase or possess private information of New York residents should alert their internal information technology professionals or their outside vendors to the SHIELD Act to ensure compliance.