An In-Depth Look at New York’s New Data Security Bill
First in a two-part series.
As we reported last week, New York Attorney General Eric T. Schneiderman has introduced a bill aimed at protecting New Yorkers from data breaches. The Stop Hacks and Improve Data Security Act or SHIELD Act requires businesses to “implement and maintain reasonable safeguards” to protect New Yorkers’ personal and private information; according to the Attorney General, data breaches involving New Yorkers increased 60% in 2016. The new legislation, which was introduced in the wake of the Equifax hack, is set to close “major gaps” in the State’s data security laws.
Below, in the first of two blog posts, we take a closer look at three key sections of the SHIELD Act.
The SHIELD Act covers any person or business which owns or licenses computerized data housing New Yorkers’ private information. This means even businesses that operate outside of New York are covered by and must comply with the SHIELD Act if they own or license private information for any New York resident. This is a noticeable change from the current requirement that entities must conduct business in the State of New York.
The Act makes a distinction between “personal” and “private” information. Personal information is defined as any information —name, number, personal mark, or other identifier—that can be used to identify a natural person. Private information is defined as the combination of personal information plus at least one or more data elements when either is not encrypted or when the encryption key has been accessed or acquired. The following qualify as data elements under the SHIELD Act:
- Social Security number;
- driver’s license or identification card number;
- account number or credit or debit card number in combination with a password that would permit access to an individual’s financial information;
- account number or credit or debit card number if such number could be used to access an individual’s financial information without additional identifying information;
- biometric information, such as an individual’s physical characteristics;
- user name or email address in combination with a password; or
- any unsecured protected health information.
Importantly, private information does not include publicly available information that is made available to the general public pursuant to federal, state, or local government records.
A covered entity triggers the SHIELD Act when a “breach of the security of the system” occurs. A “breach of the security of the system” is defined as the unauthorized access to or acquisition of computerized data that contains private information. An employee’s good faith access to or acquisition of private information for purposes of the business does not constitute a breach if such private information is not used or subject to unauthorized disclosure.
To determine whether information has been accessed, or reasonably believed to be accessed, a business may consider whether the information was viewed, communicated, used, or altered by a person without valid authorization. And to determine whether information has been acquired, or reasonably believed to be acquired, a business may consider whether the information is in the physical possession of, has been downloaded or copied by, or has been used by a person without valid authorization.
Types of Notices
Businesses are required to disclose a breach to any resident of New York State whose private information was accessed or acquired “in the most expedient time possible and without unreasonable delay.” Businesses can provide notice to residents by using any of the following methods:
- written notice;
- electronic notice, if the individual receiving the notice has expressly consented to receive notice electronically; or
- telephonic notice.
Covered entities may also provide substitute notice if they can demonstrate to the Attorney General that it costs more than $250,000 to provide regular notice or the class of persons is more than 500,000. Appropriate substitute notice consists of:
- email, if the covered entity has the email addresses for the class of persons and the breach did not include email addresses in combination with passwords that would permit access to online accounts;
- conspicuous posting of the notice on the entity’s website, if it maintains a website; and
- notification to major statewide media.
In the event a business that licenses New Yorkers’ private information suffers a breach (i.e., the business does not own the information), the business must immediately notify the owner or licensee following discovery of the breach.
Any business that suffers a breach involving the private information of a New York resident must also notify the State Attorney General, in addition to the Department of State and Office of Information Technology Services. For breaches involving more than 5,000 New Yorkers, the breached entity must also notify consumer reporting agencies.
Be sure to check back on Monday, November 20, for the second and final installment of this two-part series.