Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry
Posted in Cybersecurity, Data Protection & Privacy Paul OttoW. James DenvilJulian Flamant

New York Enacts New Data Security Laws

On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the information is not acquired; and requiring consumer reporting agencies who suffer breaches of social security numbers to offer up to 5 years of identity theft services. Businesses maintaining the private information of New York residents also will now be required to proactively develop “reasonable safeguards” within their organization as part of a new “reasonable security requirement.”

The “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) expands the types of information covered by New York’s data breach notification law by adding:

  • Account numbers and credit or debit card numbers if compromised in circumstances where the numbers could be used to access the associated accounts without additional information;
  • Biometric information, defined as unique physical or digital representations of biometric data “used to authenticate or ascertain” a person’s identity; and
  • Online account credentials (username or e-mail address in combination with password or security question and answer).

The SHIELD Act also updates the definition of breach to include incidents involving unauthorized access to certain information about individuals. Under current law, breaches include only those incidents involving unauthorized acquisition of that information. The SHIELD Act establishes that in determining whether information has been accessed, businesses should consider whether the information was “viewed, communicated, with, used, or altered by” a person lacking authorization to do so.

The new law provides a risk-of-harm exception to the notification obligations for certain types of “inadvertent disclosures.” A business suffering a breach is not required to issue notice if the breach involved the inadvertent disclosure of covered information to unauthorized recipients and the business determines that the exposure is not likely to result in misuse of the information, financial harm to affected persons, or emotional harm to individuals if their online credentials were exposed. Businesses relying on this exception must document their assessment in writing and maintain it for five years. If the breach affects over 500 New York residents, the business must provide the low risk-of-harm assessment to the attorney general within 10 days.

Along with the changes to breach notification requirements, the SHIELD Act amends New York’s general business law to require businesses that own or license certain information about individuals to implement reasonable safeguards designed “to protect the security, confidentiality, and integrity” of the information. The SHIELD Act specifies a number of specific administrative, technical, and physical safeguards, including the requirements to perform risk assessments, manage third-party security risk, designate one or more individuals to coordinate the organization’s security program, and regularly evaluate the effectiveness of security controls that, if implemented, establish such reasonable safeguards.

The data breach notification amendments to New York law take effect on October, 23, 2019. The reasonable security requirements take effect on March 21, 2020.

Along with the SHIELD Act, Governor Cuomo signed into law S3582, which imposes new obligations on credit reporting agencies that suffer security breaches involving social security numbers. Following such breaches, credit reporting agencies must provide customers with “reasonable” identity theft prevention services and (if applicable) identity theft mitigation services for up to five years at no cost to affected individuals. Credit reporting agencies need not provide such remediation services if they reasonably determine that a breach is unlikely to result in harm to affected consumers.