The NYSHIELD Act: It Has Arrived!

On June 17, 2019, the New York State Assembly passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which is the latest in the state-by-state effort to increase data protection efforts. We have seen the Pennsylvania Supreme Court in Dittman v. UPMC create a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information. In addition, California, Massachusetts, Colorado, Nevada, and Texas all have recently (or at least it feels that way) enacted some form of data privacy laws. In addition, the New Jersey General Assembly adopted S52 (A-3245) amended the data breach notification law in the Garden State.  

The SHIELD Act provides a more modern approach to cybersecurity and data privacy in New York and brings New York more in line with these other data privacy and cybersecurity laws from other jurisdictions. It also provides greater protection for consumer’s private information by, at least in part, holding companies accountable for providing mechanisms to safeguard the data. The SHIELD Act clearly puts the onus on organizations to implement reasonable data security protections, while allowing the organizations to base what is reasonable on size and resources. Another interesting nuance to the SHIELD Act is its extra-territorial reach. Similar to the behemoth GDPR and its somewhat less scary cousin, CCPA, the SHIELD Act’s obligations do not end at the New York State border. Instead, it applies to organizations that conduct business out-of-state, but collect personal data on New York residents.  

So what are some of the provisions of the SHIELD Act that are the more interesting and represent a departure from what New York has already? So glad you asked!

The SHIELD Act broadened what constitutes a “data breach”. Why is that important? In nearly every jurisdiction, organizations do not have to report a data incident, only a breach. The current New York law only requires notification if the data is “acquired” by a hacker.  The SHIELD Act expands the definition of “data breach” to include unauthorized “access” to private information.  Access could include activities such as viewing, copying, or downloading. This means that if a hacker infiltrates a system, but does not exfiltrate the data, it would still constitute a reportable data breach under this expanded definition. Ostensibly, this means that if an organization encrypts data at rest, there would not be a “data breach” under the SHIELD Act.

Next we turn to the data itself. Thus far, the majority of states recognize a data breach when personally identifiable information (“PII”) has been compromised. Generally, PII is considered to be the magic combination of data that, when combined, can be used to trace or distinguish an individual. So for example, a name + social security number creates PII. There is a trend that we are seeing in cybersecurity laws where legislatures are expanding the definition of PII. New Jersey, for example, in its recent amendment expanded the definition of PII to include “user name,email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” 

The SHIELD Act similarly expand the scope of information that could trigger a legal “breach”.  Now, biometric information (e.g., fingerprints) and email address/password combinations that provide account access, including security questions and answers are included as data that, if compromised, requires notification. 

What about the scope of notification? The SHIELD Act expands that too. In its prior life, the data breach notification law only applied to persons or entities conducting business in New York. Now, it applies to any organization that collect private information on a New York resident- full stop. So if you are a company that does business, let’s say, in neighboring New Jersey that collects private information on a New York resident- the SHIELD Act applies.  

One of the more interesting aspects of the SHIELD Act is the imposition of proactive, reasonable security requirements on organizations that collect information on a New York resident. And, similar to the extra-territorial application of the breach notification requirements in for New Jersey example, that goes for the reasonable security measures too! In a nod to generally acceptable best practices, the SHIELD Act requires an organization to develop, implement and maintain administrative, technical and physical safeguards. These safeguards should be tailored to protect the security, confidentiality, and integrity of the private information. Like most security and privacy regulations (hello Health Insurance Portability and Accountability Act -HIPAA) the SHIELD Act does not set forth specific requirements that would meet this reasonableness standard, but allows the organizations to make decisions based on the size of the organization, nature of a business, costs associated with the measures, and the sensitivity of the data. 

So, welcome to the SHIELD Act to the patchwork of state laws in the arena of data privacy and cybersecurity.  Those of us who are fascinated by data privacy and cybersecurity always enjoy comparing and contrasting laws to see (or more accurately not see because these laws rarely provide concrete guidance for a company) what they require. What is needed to combat this increasingly complex regulatory world is a preemptive piece of federal privacy and security legislation. This state-by-state approach is costly and, frankly, ridiculous. Data very rarely stays in one place. It travels across borders. Knowing this, we see laws like the SHIELD Act, CCPA and GDPR that have an extra territorial effect. What we don’t see is Congress stepping in to settle this area of law. But, until we do, it is imperative that organizations know and understand their data and data flows to see if they are impacted by laws like the SHIELD Act.  Because, in cybersecurity and data privacy most especially, luck favors the prepared. 

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.