The SHIELD Act: New Cyber Requirements for New York Businesses

On July 25, 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law by Governor Cuomo. It will become effective on October 23, 2019. The Act makes important updates to the way that businesses must respond to data breaches and imposes new requirements on businesses to enact data security programs intended to ameliorate businesses’ risk of a data breach. New York businesses, or those that maintain the data of New York residents, are encouraged to consider whether to take action now.

The SHIELD Act expands both the scope and application of New York’s General Business Law § 899-aa, which had exclusively concerned New York’s data breach notification requirements. When the Act takes effect, GBL § 899-aa will no longer be limited to businesses physically located in New York but will apply to any business that owns or licenses the “private information” of any New York resident. It will also expand the definition of a data breach incident to include unauthorized “access to” as well as “acquisition of” private information. The definition of “private information” will now include credit and debit card numbers, without security codes, if the number can be used to access the account; email addresses, when accompanied by passwords or answers to security questions that can be used to access online accounts; and biometric information, such as fingerprints and retina images.

New Cybersecurity Safeguards

Most profoundly, the SHIELD Act changes New York’s cybersecurity landscape by the addition of General Business Law § 899-bb, which broadly imposes the requirement that businesses of all types create plans for “data security protections.”  Businesses that are already regulated by and comply with the requirements of HIPAA; Hi-TECH, Gramm-Leach-Bliley; New York’s Title 23, Part 500; or any other federal or New York State data security rule or regulation will be deemed to also comply with the SHIELD Act. All other businesses, however, will be required to meet the SHIELD Act requirements.

The data security provision provides a framework for businesses to develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data, including its disposal. It identifies three parts of any data security program.

1. The first is “reasonable administrative safeguards.” These include delegating cybersecurity responsibility to designated employees; assessing internal and external risks and enacting reasonable safeguards to address those risks; training of management and employees in cybersecurity practices; and selecting vendors who are capable and contractually obligated to meet cybersecurity standards.
2. Next, businesses must undertake “reasonable technical safeguards,” such as a risk assessment of the business’ network and software, information processing, transmission and storage; assessment, prevention and response to cyber-attacks; and regular monitoring, testing and upgrades to address key controls and systems.
3. Finally, “reasonable physical safeguards” are needed to address the location, technology and access to data storage and disposal and to protect unauthorized access to private information while in use, in storage, transport or disposal.

The failure to comply with the required data security program is deemed a “deceptive business practice” under General Business Law § 349.

The SHIELD Act provides “small businesses” with the opportunity to comply with their own data security program that may be less onerous than otherwise required, by enacting “reasonable” administrative, technical and physical safeguards that are appropriate to each small business based on its size, business complexity and the sensitivity of the data in its possession. A small business is defined as a business with fewer than 50 employees, less than $3 million in gross annual revenue in the past three years or less than $5 million in year-end total assets.

Changes to Breach Notification Provisions

The SHIELD Act’s amendment of General Business Law § 899-aa also significantly updated the what, when and how data breach notification must be given to New York residents. Some of those changes are fairly business-friendly. For example, businesses will no longer be required to provide breach notification when private information is inadvertently exposed by a person who was authorized to access the data, and the business “reasonably determines” that the exposure will “not likely result in the misuse of such information” or financial or emotional harm to the data subject. The business’ determination must be documented, in writing, kept for five years and provided to the Attorney General if more than 500 people were affected by the incident. Additionally, as with the cybersecurity requirements added by GBL § 899-bb, any data breach notifications sent by a business that is regulated by and complies with HIPAA, the Hi-TECH Act, Graham-Leach-Bliley, or other federal or New York State laws shall be deemed to also have complied with the Act.

Less business-friendly: The SHIELD Act increases the statute of limitations for actions by the Attorney General from two years to three from when the Attorney General becomes aware of the violation or the date that notice is sent, whichever is earlier. The statute of limitations is capped at six years after the company discovers the breach, unless the company took steps to hide the breach. If so, the statute of limitations will run from discovery of the hidden breach. The Act also increases the potential penalty knowingly violating the notification requirement to the greater of $5,000 to $20 per instance of failure to give notice, up to $250,000, while still permitting individuals to seek their actual losses incurred in the absence of required notice.

What comes next?

Once the SHIELD Act becomes effective – on October 24, 2019 – businesses have 120 days to adopt a notification policy that is consistent with the new provisions; they have 240 days after it is signed into law to effectuate their data security programs. In other words, businesses will be expected to take significant steps to fulfill the SHIELD Act’s requirements by March 22, 2020.

Plainly, the law does not provide a lot of ramp-up time to comply. Of particular concern is the pervasive use of a “reasonable” standard that is ill-defined and depends on many variables. Reasonable people can and often do disagree as to what is “reasonable” under different circumstances. As such, experience teaches us that we should anticipate that the SHIELD Act’s requirements will be subject to interpretation and probable litigation as to whether a business has met the statute’s requirements. Nevertheless, the introduction of “reasonableness” may also be seen as the Legislature’s effort to relieve businesses of the obligations that may not realistically be practical or necessary to undertake.

Although the devil is in the details, many of the steps recommended to address “reasonable safeguards” are practical recommendations that businesses should consider implementing now in order to minimize their risk of data breach and the potentially catastrophic impact a cyber breach can have on their bottom line. We will continue to monitor the status of the SHIELD Act and are available to assist businesses in addressing their cybersecurity legal needs.