Part Two: In-Depth Look at New York’s New Data Security Bill
Second in a two-part series.
Last week, in the first part of this series, we examined several key aspects of New York’s proposed data security law, Stop Hacks and Improve Data Security Act or SHIELD Act. In our second and final installment, we discuss three additional aspects of the proposed law.
Content of Notices
All SHIELD Act notices must contain the contact information of the entity providing the notice, the contact information for state and federal agencies that provide information regarding data breaches and identify theft, and a description of the categories of information that were accessed or acquired.
Importantly, breaches involving credit or debit card information require specific content. For instance, when a covered entity must issue a new credit or debit card as a result of a breach, it must provide the consumer with notice that the new credit or debit card is being issued due to a potential data breach.
Safe Harbor Provisions
As noted in our first post, the Act requires covered entities to “implement and maintain reasonable safeguards” to protect of New Yorkers’ private information. There are, however, a few safe harbor provisions that satisfy the Act’s “reasonable safeguards” requirement for small businesses and enterprises already compliant with other data security regimes.
For small businesses, the SHIELD Act provides a flexible approach. Any business with fewer than 50 employees, less than $3,000,000 in gross annual revenue in each of the last 3 fiscal years, or less than $5,000,000 in year-end total assets, qualifies under the bill as a small business. Such small businesses are deemed compliant with the “reasonable safeguards” requirement if they implement and maintain “reasonable safeguards” that are “appropriate to the size and complexity of the small business” to protect the private information.
The Act also provides safe harbor for certain regulated and certified complaint entities. A compliant regulated entity is defined as a person or business that is both subject to and compliant with certain data security regulations or laws, including:
- New York’s cybersecurity regulation;
- Gramm-Leach-Bliley Act; or
- Health Insurance Portability and Accountability Act.
Other covered entities can comply with the “reasonable safeguards” requirement by implementing a data security program that, among other things:
- designates an employee to coordinate the program;
- trains and manages employees in the program;
- assesses the sufficiency of current safeguards; and
- regularly tests and monitors the effectiveness of controls.
Injunctive Relief, Damages, and Civil Penalties
Failure to comply with the SHIELD Act may result in injunctive relief, damages, or civil penalties. Indeed, the SHIELD Act provides that the New York State Attorney General may bring an action for injunctive relief, damages for actual costs or losses incurred by a person entitled to notice, or civil penalties, which, in certain situations, shall not exceed $250,000. The Attorney General must commence the action within 3 years of the date the Attorney General first became aware of the violation or the date the notice was sent, whichever occurs first.
The SHIELD Act does not, however, create a private right of action.
We will continue to monitor the bill as it makes its way through Albany.