7 minute read
New York Latest State to Enact Cybersecurity Law
Cybersecurity
New York Latest State to Enact Cybersecurity Law
By Joseph J. Lazzarotti
New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act puts the Empire State among a growing number of states that have enacted broadly applicable cybersecurity mandates. Potentially reaching persons and businesses outside of New York, the SHIELD Act, effective March 21, 2020, seeks to protect New York residents from rampant identity theft and similar crimes.
The new law obligates persons and businesses that own personal information to safeguard it, and strengthens the state’s existing data breach notification law. As compliance obligations reach beyond IT and technology, legal departments have a critical role to play.
The SHIELD Act’s obligations apply to any person or business that owns or licenses computerized data that includes private information of a resident of New York. Thus, persons and businesses located outside of New York that maintain private information of New York residents will need to think carefully about whether they have SHIELD Act obligations.
The SHIELD Act also applies to small businesses, although the nature and extent of their efforts can be proportionate based on certain factors, such as the size and complexity of the business.
Small businesses under the SHIELD Act include any person or business with fewer than 50 employees; less than three million dollars in gross annual revenue in each of the last three fiscal years; or less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
A first step toward compliance requires understanding the data the law is intended to protect. The law protects “private information,” when combined with “personal information.” Personal information is defined as any information concerning a natural person that, because of name, number, personal mark or other identifier, can be used to identify that person.
Private information is either (1) personal information consisting of any information in combination with any one or more of the data elements below — when the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired — or (2) a username or e-mail address in combination with a password, or security question and answer, that would permit access to an online account.
The data elements are as follows:
• Social security number;
• Driver’s license number or non-driver identification card number;
• Account number, or credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
• Account number, or credit or debit card number, if that number could be used to access an individual’s financial account without additional information; or
• Biometric information.
DATA SECURITY, NOT PRIVACY
Unlike the California Consumer Privacy Act (CCPA) and certain other laws, the SHIELD Act does not create affirmative privacy rights for New York residents, such as the right to request the deletion of their personal information.
The SHIELD Act requires covered persons and businesses to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information — an obligation that could be satisfied in one of two ways.
Covered persons and businesses can meet this obligation by being a “compliant regulated entity,” that is, a person or entity subject to and in compliance with a designated data security regulatory framework such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act. A health care provider that fully complies with HIPAA will satisfy the data security requirements. However, HIPAA only applies to “protected health information” of certain individuals. In the case of a health care providers, that means patients. Such an entity still would need to comply with the SHIELD Act with respect to private information concerning its employees and other individuals who are New York residents.
Covered persons or businesses that are not compliant regulated entities can comply with the SHIELD Act by adopting a compliant data security program covering administrative, technical and physical safeguards. The SHIELD Act does not mandate specific safeguards, but it outlines examples that covered persons or businesses should be considering. These include designating individuals responsible for security programs; conducting risk assessments and assessing the safeguards in place to control those risks; training and managing employees in security program procedures; selecting capable service providers and requiring appropriate safeguards by contract; and adjusting programs in light of new circumstances.
Some examples of physical safeguards are assessing the risks of information storage and disposal; protecting against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal of that information; and disposing of private information within a reasonable time after it is no longer needed.
Additionally, there should be technical safeguards in place, including assessing risks in network and software design; assessing risks in information processing, transmission, and storage; detecting, preventing and responding to attacks or system failures; and testing and monitoring key controls, systems, and procedures.
BREACH NOTIFICATION RULE CHANGES
A particularly troubling form of cyberattack on organizations is business email compromise (BEC). Attackers gain access to a company-provided email account, often through phishing, and search for wire transfer information or tax documents. Changes made by the SHIELD Act make it more likely that BEC and similar attacks will be considered breaches requiring notification.
Under previous law, only unauthorized “acquisitions” of private information could trigger a notification requirement. Under the SHIELD Act, unauthorized “access” to private information has the same effect. The law also adds several factors for determining whether there has been unauthorized access, including “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
Thus, in BEC matters, even if the attacker has not removed any data or was not successful in executing a fraudulent wire transfer, mere access to private information in a compromised email account’s inbox or sent items could trigger a notification requirement.
Another change to the breach notification rule under the SHIELD Act, sometimes called the “risk of harm” exception, may reduce the number of breaches reported. Under this exception, notice to affected persons is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business determines that exposure likely will not result in misuse, financial harm or emotional harm in the case of unknown disclosure of online credentials. If a person or business believes this exception applies, it must document that determination in writing and retain it for at least five years. If the incident affects more than 500 residents of New York, the person or business also must provide the written determination to the Attorney General’s office within 10 days.
If notification is required under the SHIELD Act, it must include the telephone numbers and websites of the relevant state and federal agencies that provide information on security breach response, and identity theft prevention and protection. Also, notices to state agencies, including the Attorney General, must include a copy of the template of the notice to be sent to affected persons.
The SHIELD Act does not create a private right of action. An individual might be able to sue on other grounds, such as negligence or breach of contract.
The Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance, with a cap of $250,000. For reasonable safeguard requirement violations, a court may impose penalties of not more than $5,000 per violation.
The SHIELD Act continues an emerging trend in state laws aimed at strengthening protections for sensitive personal information. Regardless of location, industry or size, organizations should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs.
Joseph J. Lazzarotti is a Principal of Jackson Lewis P.C. He founded and currently leads the firm’s Privacy, Data and Cybersecurity Practice Group. He also is a member of the firm’s Employee Benefits Practice Group. Joseph.Lazzarotti@jacksonlewis.com
