Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … computerized data which includes private information,” regardless of corporate structure, revenues or location. As such, the SHIELD Act will apply to not only businesses and employers in New York, but may also apply to businesses and employers with no physical presence in New York.

The SHIELD Act imposes more expansive data security and data breach notification requirements on companies by:

  • Broadening the scope of “private information” covered under the notification law to include personal information (such as a social security number or driver’s license number), biometric information and email addresses with their corresponding passwords or security questions and answers;
  • Expanding the definition of “breach” of the security of the system to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information;
  • Expanding the territorial scope of the breach notification requirement to any person or entity with private information of a New York resident, not just to those who conduct business in New York;
  • Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; and.
  • Creating requirements for companies to implement reasonable safeguards to protect the security, confidentiality and integrity of private information.

The SHIELD Act, however, affords certain exceptions. Under the new amendments, a company may be exempt from the breach notification requirements if “exposure of Private Information was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” The amendments further clarify that businesses will be deemed compliant with the SHIELD Act if the business complies with other laws requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies. Such covered entities are not required to notify affected New York residents regarding such breaches under New York’s breach notification law; however, companies must still notify the New York Attorney General, the Department of State Division of Consumer Protection, and the Division of the State Police regarding the breach.

Additionally, the SHIELD Act does not authorize a private right of action or class action litigation. However, the Attorney General is authorized to bring enforcement actions, and violations may result in civil penalties.

The SHIELD Act’s breach notification amendments take effect October 23, 2019, while the new data security requirements will take effect beginning March 21, 2020.

Employers located in New York or that otherwise possess private information of New York residents should review and update their data security programs to comply with these new amendments.