The New York SHIELD Act1 reaches beyond the jurisdiction of New York and is more expansive than the privacy laws of many other states. The Act protects “private information,” which is defined to encompass more than “personal information.” The definition of a reportable “breach” was expanded to that of other state data breach notification laws, but the situations in which a business is excused from disclosing a breach are narrower than in other state laws. Many state laws require reasonable data security for personal information, but the SHIELD Act is more specific, listing security measures that are deemed reasonable. Whether located inside or outside of the State of New York, businesses with customers who are residents of that state should become aware of the SHIELD Act requirements.
The SHIELD Act applies to any business holding private information of a New York resident.2 Similar to the extraterritorial reach of the EU’s General Data Protection Directive (“GDPR”),3 the SHIELD Act protects the residents of New York and their information—wherever that information may be. The SHIELD Act amended the previous scope of New York’s breach notification law by broadening it to encompass more than entities conducting business in the state.4 A business located outside the state’s borders may be subject to the Act whether it collects information directly from New York residents or merely “maintains” such information,5 after receiving it indirectly, as many business-to-business service providers do. Given the large population of New York,6 it seems likely that many companies doing business in the United States hold the private information of a New York resident.
The information protected by the SHIELD Act is of a different character than purely personal data. The obligations of the Act only apply to information concerning a natural person when it is combined with data one could normally use to access personal accounts. “Private information” is either: (1) the combination of personal information with specified data elements,7 or (2) the combination of a username or email address with associated credentials.8 The word “access” appears six times in the definition, hinting that the SHIELD Act focuses on a different subject than data subjects (i.e., humans, in the case of the GDPR,9 and households, in the case of the California Consumer Privacy Act10).
Rather than restrictions on use of personal information—protecting the rights of people—the SHIELD Act contains requirements to secure private information— protecting the information itself. Any business holding the private information of a New York resident must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”11 A business will be deemed in compliance with that obligation if it adopts a data security program as outlined in the Act.12 A conforming data security program must include the following administrative, technical, and physical safeguards:
One type of safeguard common to all three categories is risk assessment with a focus on risks to information exposure.16
Although the list of required safeguards is lengthy, the Act does contain accommodations for small businesses and exemptions for businesses covered by reasonably similar regulations. A small business is not considered exempt but is allowed to scale down compliance measures as appropriate for the size and complexity of its business.17 The only entities generally exempt from the SHIELD Act are those subject to other similar-purpose laws.18
Under the SHIELD Act, a “breach of the security of the system” extends to cases of access to private information by any person without valid authorization.19 Private information has been accessed, “or is reasonably believed” to have been accessed, if there are indications the information was “viewed, communicated with, used, or altered by . . . an unauthorized person.”20 If “breach” were defined as only unauthorized acquisition, many situations of intrusion faced by businesses might be exempt from a notification requirement. Evidence of copying or downloading—“acquisition”—by an anonymous third party will likely be less prevalent than internal logs indicating information has been viewed—“access.” New York aligns with some other states applying access or acquisition as the standard for breach,21 rather than the acquisition standard under the state’s prior law.22 The “reasonably believed” language of the definition is relevant to the notification requirements of the Act.23
The SHIELD Act requires notification directly to New York State residents whose private information has been breached.24 However, notification is excused if the disclosure “was an inadvertent disclosure by persons authorized to access private information” and “such exposure will not likely result in misuse . . . or financial harm . . . or emotional harm.”25 Any business relying on this exception must document its applicability.26 Furthermore, if more than five hundred New York residents have been affected, the business must share its determination with the New York Attorney General, presumably to confirm the reasonableness of the company’s no-harm-from-breach conclusion.27 The SHIELD Act has no statute of limitations if the business “took steps to hide the breach.”28
Fines can be imposed for failing to notify individuals of a breach or for failing to implement reasonable security safeguards. A court may impose a civil penalty for knowingly or recklessly violating either the notification or data-security requirements in the amount of $20 per instance, with a minimum of $5,000 and a maximum of $250,000.29 Actual losses to individuals entitled to notice may also be awarded.30 Not implementing reasonable security measures is deemed a violation of the state unfair and deceptive practices statute,31 which authorizes penalties of not more than $5,000 per violation but which does not otherwise impose an overall maximum for such penalties.32
In addition to pursuing these penalties, the Attorney General33 may seek an injunction requiring a business to provide notification of a breach to the affected individuals or to compel compliance with reasonable safeguards even in the absence of a breach.34 Enforcement can be expected because the Office of the Attorney General helped develop and sponsor the bill.35
The SHIELD Act’s scope stretches beyond that of other state privacy laws in several ways. It applies to any business holding private information of New York residents, regardless of the business’s location. The definition of private information includes personally identifiable information but is not necessarily limited to it. The Act also sets out a detailed set of data security requirements for businesses to follow. Although the SHIELD Act creates no private right of action, enforcement by the New York Attorney General can be expected.