New law in New York State extends requirements on companies doing business with New York residents to have cybersecurity programs and expands New York’s breach notification requirements.
On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which broadens the scope of existing New York breach notification and data protection laws that trigger notification to affected consumers. The New York Attorney General will enforce the SHIELD Act (S.5575B/A.5635), which extends the reach of New York law breach notification requirements to any person or entity with private information of a New York resident, regardless of whether the breached company conducts business in New York State. This provision could significantly extend the reach of those companies that will be subject to New York reporting requirements. The law also broadens the definition of breach, expanding a data breach to any situation involving unauthorized “access” to confidential information regardless of whether such data is “acquired.” The SHIELD Act does not create a private cause of action; however, the New York Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The SHIELD Act also expands the time period within which the New York Attorney General may bring an action from two to three years. Penalties for violation of the data breach provisions can be imposed in the amount of the greater or $5,000 or up to $20 per instance of a failed notification, up to $250,000. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.
Companies Must Adopt Comprehensive Cybersecurity Programs
Companies that have private information about New York residents will need to adopt reasonable data security safeguards to protect confidentiality of data. Companies are exempt from this law if they can show that they are compliant with certain other cybersecurity legal requirements, including Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). The SHIELD Act greatly expands New York’s requirements on companies with data relating to New Yorkers to adopt comprehensive cybersecurity programs. The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:
Expanded Definition of Confidential Data
The SHIELD Act also broadens the scope of information covered under the New York breach notification law to include:
With the SHIELD Act, New York is joining the trend to increase cybersecurity, privacy and data protection laws. The law takes effect within 90 days, except that it provides 240 days for the establishment of a cybersecurity program. Companies that have not previously been subject to cybersecurity regulatory requirements will need to promptly evaluate the sufficiency of both their internal programs and the third-party service providers they use for compliance with the comprehensive cybersecurity requirements of the SHIELD Act. Those that already have cybersecurity programs will need to update their programs for New York’s new requirements.