The Business Lawyer
American Bar Association
image
New York Shows Two Sides of the Same SHIELD Act
DOI 10.928/ac.2021.03.33, Volume: 76, Issue: 1,

Table of Contents

Highlights

Notes

Payne: New York Shows Two Sides of the Same SHIELD Act

I. Introduction

The New York SHIELD Act1 reaches beyond the jurisdiction of New York and is more expansive than the privacy laws of many other states. The Act protects “private information,” which is defined to encompass more than “personal information.” The definition of a reportable “breach” was expanded to that of other state data breach notification laws, but the situations in which a business is excused from disclosing a breach are narrower than in other state laws. Many state laws require reasonable data security for personal information, but the SHIELD Act is more specific, listing security measures that are deemed reasonable. Whether located inside or outside of the State of New York, businesses with customers who are residents of that state should become aware of the SHIELD Act requirements.

II. Principal Components of the Act

A. Extraterritorial Reach of the Act

The SHIELD Act applies to any business holding private information of a New York resident.2 Similar to the extraterritorial reach of the EU’s General Data Protection Directive (“GDPR”),3 the SHIELD Act protects the residents of New York and their information—wherever that information may be. The SHIELD Act amended the previous scope of New York’s breach notification law by broadening it to encompass more than entities conducting business in the state.4 A business located outside the state’s borders may be subject to the Act whether it collects information directly from New York residents or merely “maintains” such information,5 after receiving it indirectly, as many business-to-business service providers do. Given the large population of New York,6 it seems likely that many companies doing business in the United States hold the private information of a New York resident.

B. Expansive Definition of “Private Information”

The information protected by the SHIELD Act is of a different character than purely personal data. The obligations of the Act only apply to information concerning a natural person when it is combined with data one could normally use to access personal accounts. “Private information” is either: (1) the combination of personal information with specified data elements,7 or (2) the combination of a username or email address with associated credentials.8 The word “access” appears six times in the definition, hinting that the SHIELD Act focuses on a different subject than data subjects (i.e., humans, in the case of the GDPR,9 and households, in the case of the California Consumer Privacy Act10).

C. Security Measures Deemed to Comply

Rather than restrictions on use of personal information—protecting the rights of people—the SHIELD Act contains requirements to secure private information— protecting the information itself. Any business holding the private information of a New York resident must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”11 A business will be deemed in compliance with that obligation if it adopts a data security program as outlined in the Act.12 A conforming data security program must include the following administrative, technical, and physical safeguards:

Administrative:

    designating at least one employee to coordinate the security program
    identifying reasonably foreseeable internal and external risks
    assessing existing safeguards to control those risks
    training employees in the security program
    selecting service providers capable of maintaining appropriate safeguards
    requiring those safeguards by contract
    adjusting the security program in response to business changes or new circumstances.13

Technical:

    assessing risks of network and software design
    assessing risks in information processing, transmission, and storage
    detecting, preventing, and responding to attacks or system failures
    regularly testing and monitoring key controls, systems, and procedures.14

Physical:

    assessing risks of information storage and disposal
    detecting, preventing, and responding to intrusions
    protecting against unauthorized access to or use of private information
    disposing of private information within a reasonable time after it is no longer needed for business purposes by erasing electronic media.15

One type of safeguard common to all three categories is risk assessment with a focus on risks to information exposure.16

Although the list of required safeguards is lengthy, the Act does contain accommodations for small businesses and exemptions for businesses covered by reasonably similar regulations. A small business is not considered exempt but is allowed to scale down compliance measures as appropriate for the size and complexity of its business.17 The only entities generally exempt from the SHIELD Act are those subject to other similar-purpose laws.18

D. Expansive Definition of “Breach”

Under the SHIELD Act, a “breach of the security of the system” extends to cases of access to private information by any person without valid authorization.19 Private information has been accessed, “or is reasonably believed” to have been accessed, if there are indications the information was “viewed, communicated with, used, or altered by . . . an unauthorized person.”20 If “breach” were defined as only unauthorized acquisition, many situations of intrusion faced by businesses might be exempt from a notification requirement. Evidence of copying or downloading—“acquisition”—by an anonymous third party will likely be less prevalent than internal logs indicating information has been viewed—“access.” New York aligns with some other states applying access or acquisition as the standard for breach,21 rather than the acquisition standard under the state’s prior law.22 The “reasonably believed” language of the definition is relevant to the notification requirements of the Act.23

E. Risk-Based Exception to Breach Notification

The SHIELD Act requires notification directly to New York State residents whose private information has been breached.24 However, notification is excused if the disclosure “was an inadvertent disclosure by persons authorized to access private information” and “such exposure will not likely result in misuse . . . or financial harm . . . or emotional harm.”25 Any business relying on this exception must document its applicability.26 Furthermore, if more than five hundred New York residents have been affected, the business must share its determination with the New York Attorney General, presumably to confirm the reasonableness of the company’s no-harm-from-breach conclusion.27 The SHIELD Act has no statute of limitations if the business “took steps to hide the breach.”28

F. Penalties for Failure to Comply

Fines can be imposed for failing to notify individuals of a breach or for failing to implement reasonable security safeguards. A court may impose a civil penalty for knowingly or recklessly violating either the notification or data-security requirements in the amount of $20 per instance, with a minimum of $5,000 and a maximum of $250,000.29 Actual losses to individuals entitled to notice may also be awarded.30 Not implementing reasonable security measures is deemed a violation of the state unfair and deceptive practices statute,31 which authorizes penalties of not more than $5,000 per violation but which does not otherwise impose an overall maximum for such penalties.32

In addition to pursuing these penalties, the Attorney General33 may seek an injunction requiring a business to provide notification of a breach to the affected individuals or to compel compliance with reasonable safeguards even in the absence of a breach.34 Enforcement can be expected because the Office of the Attorney General helped develop and sponsor the bill.35

III. Conclusion

The SHIELD Act’s scope stretches beyond that of other state privacy laws in several ways. It applies to any business holding private information of New York residents, regardless of the business’s location. The definition of private information includes personally identifiable information but is not necessarily limited to it. The Act also sets out a detailed set of data security requirements for businesses to follow. Although the SHIELD Act creates no private right of action, enforcement by the New York Attorney General can be expected.

Notes

1 Stop Hacks and Improve Electronic Data Security Act, N.Y. GEN. BUS. LAW §§ 899-aa, 899-bb (West, Westlaw through L.2019, ch. 758 & L.2020, ch. 1–56, 58–167) [hereinafter SHIELD Act].
2 Id. § 899-aa(2).
3 See Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 3(2), 2016 O.J. (L 119) 1, 33 [hereinafter GDPR] (“This Regulation applies to the processing of personal data . . . by a controller or processor not established in the Union . . . .”).
4 S. 5575-B, 242d Leg., 2019 Sess. § 3 (N.Y. 2019) (amending N.Y. GEN. BUS. LAW § 899-aa(2)) (by deleting “conducts business in New York state”).
5 N.Y. GEN. BUS. LAW § 899-aa(3) (West, Westlaw through L.2019, ch. 758 & L.2020, ch. 1–56, 58–167) (imposing obligations on “[a]ny person or business which maintains computerized data which includes private information” (emphasis added)).
6 New York is the fourth largest state by population. Press Release, U.S. Census Bureau, 2019 U.S. Population Estimates Continue to Show the Nation’s Growth Is Slowing tbl.1 (Dec. 30, 2019), https://www.census.gov/newsroom/press-releases/2019/popest-nation.html.
7 See N.Y. GEN. BUS. LAW § 899-aa(1)(b)(i) (West, Westlaw through L.2019, ch. 758 & L.2020, ch. 1–56, 58–167) (defining “private information” to include “personal information . . . in combination with . . . the following data elements” (emphasis added)).
8 Id. § 899-aa(1)(b)(ii) (defining “private information”).
9 See GDPR, supra note 3, art. 1.1, at 32 (stating purpose as “protection of natural persons” (emphasis added)).
10 See California Consumer Privacy Act of 2018 (CCPA), CAL. CIV. CODE § 1798.140(o)(1) (West, Westlaw through ch. 33 of 2020 Reg. Sess.) (defining “personal information” as information that can be linked to “a particular consumer or household” (emphasis added)).
11 N.Y. GEN. BUS. LAW § 899-bb(2)(a) (West, Westlaw through L.2019, ch. 758 & L.2020, ch. 1–56, 58–167).
12 Id. § 899-bb(2)(b)(ii).
13 Id. § 899-bb(2)(b)(ii)(A)(1)–(6).
14 Id. § 899-bb(2)(b)(ii)(B)(1)–(4).
15 Id. § 899-bb(2)(b)(ii)(C)(1)–(4).
16 Id. § 899-bb(2)(b)(ii)(A)(2), (A)(3), (B)(1), (B)(2), (C)(1).
17 Id. § 899-bb(2)(c) (cross-referencing N.Y. GEN. BUS. LAW § 899-bb(1)(c), which defines a “small business” as one having (i) fewer than fifty employees, (ii) less than three million dollars in gross annual revenues in each of the last three years, or (iii) less than five million dollars in assets at year-end).
18 Id. § 899-bb(1)(a)(i)–(iv) (defining “compliant regulated entity” to mean one subject to, and in compliance with, any of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the cybersecurity regulations of the New York State Department of Financial Services, or any other federal or New York state data security rules or regulations).
19 Id. § 899-aa(1)(c).
20 Id.
21 See id. (“unauthorized access to or acquisition of . . . private information”); CONN. GEN. STAT. ANN. § 36a-701b(a)(1) (West, Westlaw through 2020 July Spec. Sess.) (virtually same); R.I. GEN. LAWS ANN. § 11-49.3-3(a)(1) (West Supp. 2020) (virtually same).
22 S. 5575-B, 242d Leg., 2019 Sess. § 3 (N.Y. 2019) (amending N.Y. GEN. BUS. LAW § 899-aa(1)(c)) (by adding “access” to the pre-existing “acquisition”).
23 See N.Y. EN. BUS. LAW § 899-aa(2), (3), (7) (West, Westlaw through L.2019, ch. 758 & L.2020, ch. 1–56, 58–167).
24 Id. § 899-aa(2).
25 Id. § 899-aa(2)(a).
26 Id.
27 Id.
28 Id. § 899-aa(6)(c).
29 Id. § 899-aa(6)(a). Section 899-aa(6)(a) refers to a “violation of this article,” where “this article” means Article 39-F of the New York Consolidated Laws, which includes sections 899-aa (Notification) and 899-bb (Data Security Protections). Id.; cf. id. § 899-aa(6)(b), (c) (referencing remedies available for violations of “this section,” not “this article”).
30 Id. § 899-aa(6)(a).
31 Id. § 899-bb(2)(d) (cross-referencing N.Y. GEN. BUS. LAW § 349 (Deceptive Acts and Practices Unlawful)).
32 See id. (cross-referencing N.Y. GEN. BUS. LAW § 350-d (Civil Penalty)).
33 Unlike the CCPA, the SHIELD Act does not create a private right of action. Compare id. § 899-bb(2)(e) (“Nothing in this section shall create a private right of action.”), with CAL. CIV. CODE § 1798.150(b) (West, Westlaw through ch. 33 of 2020 Reg. Sess.) (“Actions pursuant to this section may be brought by a consumer . . . .”).
34 N.Y. GEN. BUS. LAW §§ 899-aa(6)(a), 899-bb(2)(d) (West, Westlaw through L.2019, ch. 758 & L.2020, ch. 1–56, 58–167).
35 Press Release, Letitia James, N.Y. Att’y Gen., Attorney General James’ Statement on Shield Act ( July 25, 2019), https://ag.ny.gov/press-release/2019/attorney-general-james-statement-shield-act.
https://www.researchpad.co/tools/openurl?pubtype=article&doi=10.928/ac.2021.03.33&title= New York Shows Two Sides of the Same SHIELD Act&author=David Payne,&keyword=&subject=Report,