Expansive New Data Security and Breach Notification Goes Into Effect In New York and Beyond

May 11, 2020 | by Jeff Li

On March 21, 2020, New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into full effect. This Act is an amendment to New York’s existing data security and breach notification laws and reaches far beyond the territorial borders of New York.

What are the new notification requirements mandated by the SHIELD Act?

The requirements imposed by the new law apply to “[a]ny person or business which owns or licenses computerized data which includes private information… [of] any resident of New York state.”1

The Act marks an expansion of consumer protections offered by the previous New York technology laws. Previously, persons or businesses had to conduct business in New York State in order to be required to notify consumers of data breaches affecting their personal information. With the SHIELD Act, any person or business that owns, licenses, or maintains data containing a New York resident’s private information is required to notify the resident of a security breach compromising his or her data.

Moreover, the scope of the state technology laws on data security has been broadened in the Act’s definition of “private information.” For the purposes of the Act, private information consists of personal information along with a data element like a Social Security Number. Biometric information, such as a fingerprint, has been added to the list of private information components, as has an email address in conjunction with a password.2

The definition of the “breach of the security of the system” has also been changed. No longer does an unauthorized user need to obtain a consumer’s private information for a business to be required to notify the consumer. Instead, mere access of an individual’s private information will meet the notification requirement. As the text of the Act states,

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.3

What are the new data safeguard requirements?

The Act also requires persons or businesses to put in place “reasonable safeguards” of three categories: administrative, technical, and physical. Without mandating specific requirements, the Act enumerates examples of best practices. These are:

Administrative Safeguards

  • Designate one or more employees to coordinate the security program
  • Identify reasonably foreseeable internal and external risks
  • Assess the sufficiency of safeguards in place to control the identified risks4

Technical Safeguards

  • Assess risks in network and software design
  • Assess risks in information processing, transmission, and storage
  • Detect, prevent, and respond to attacks or system failures
  • Regularly test and monitor the effectiveness of key controls, systems, and procedures5

Physical Safeguards

  • Assess risks of information storage and disposal
  • Detect, prevent, and respond to intrusions
  • Protect against unauthorized access to or use of private information during or after collection, transportation, and destruction or disposal of the information
  • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed6

Other legal concerns relating to data breaches

Malevolent actors are increasingly accessing consumers’ private information through corporate data breaches or other invasions of personal data. Failing to prevent these data losses can have enormous financial impact. While the SHIELD Act imposes civil penalties of up to $250,000 for violations, a 2019 study by IBM estimated that corporate data breaches had risen by around 12% since 2014, costing businesses an average of $4 million.7

Lawsuits based on a corporate board’s failure to implement adequate data security protocols or to notify customers of data breaches are increasingly common. In In re Yahoo! Derivative S’holder Litig.8, shareholders brought a securities class-action action suit against Yahoo! and its board based on, inter alia, the board and officers’ breach of their duty to notify customers of several large data breaches from 2013 to 2016.

The shareholder plaintiffs alleged that Yahoo! officers were aware of the data breaches long before public disclosure and that they sought to cover up such breaches. The case was settled for $29 million.9

As there is no federal legislation on data security and data breach notification, state legislation such as the SHIELD Act and the California Consumer Privacy Act of 2018 (“CCPA”) will become increasingly influential in determining reasonable safeguards companies should implement or companies’ duty to notify consumers of data breaches. The SHIELD Act will increase the likelihood of similar lawsuits against corporate directors and officers in the future.

Insurance considerations

Major insurance companies have stepped up to provide coverage for business losses and liability stemming from data breaches, as traditional commercial general liability policies often have exclusions for cyber exposure. Data breach and cybersecurity losses are covered under cyber liability policies, which may include various provisions on:

  • Data recovery
  • Business interruption coverage
  • Data breach notifications
  • Computer and security systems repairs
  • Liability resulting from third-party cyberattacks
  • Privacy liability
  • Media liability
  • Legal fees and settlement costs

Cyber liability policies include both first-party and third-party coverage, ensuring businesses have recourse for both damage to their own assets and liability toward clients and customers. As data attacks and data breach litigation become more common, one can expect that these policies will become essential to any business with an online presence.


References

[1] Stop Hacks and Improve Electronic Data Security Act of 2019, S.B. S5575B, N.Y. Legis. S. Reg. Sess. 2019-2020 (2019), § 3.
[2] Id. at § 5.
[3] Id. at § 3.
[4] Id. at § 4.
[5] Id.
[6] Id.
[7] IBM Study Shows Data Breach Costs on the Rise; Financial Impact Felt for Years, July 23, 2019 (accessed at https://newsroom.ibm.com/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years).
[8] Lead Case No. 17-CV-307054, Superior Court of the State of California, Santa Clara County.
[9] See Order and Final Judgment of January 9, 2019.