Client Alert: New York State Greatly Expands Data Protections for Consumers

Related Practices

Attorneys & Professionals

Governor Cuomo signed the Stop Hacks and Improve Electronic Data Act (SHIELD) on July 25, 2019, providing stronger protections for New Yorkers by imposing strict cybersecurity requirements on all companies, broadening the Attorney General’s oversight over data breaches, and expanding data breach notification requirements.  The SHIELD Act will go into effect in 240 days after becoming law.

The SHIELD Act lowers the threshold for when entities must provide notification of a breach.  Now, entities must provide notification where “unauthorized access” of private information has taken place.  This change replaces the previous threshold of unauthorized “acquisition” of the information.  What information constitutes “private information” subject to mandatory reporting duties has also expanded and now includes:

Consumer notification of the unauthorized access is not required if the data exposure was inadvertent, and the business determines that misuse of such information, or financial or emotional harm to the affected individuals, is unlikely.  That determination, however, must be documented in writing, and the business must notify the determination to the Attorney General within ten (10) days of making the decision.

Under the SHIELD Act, all persons or businesses that own or license the private information of a New York resident must comply with obligations to maintain “reasonable security safeguards to protect the security, confidentiality, and integrity of private information.”  Except for certain entities (such as those subject to federal financial or health authorities), a business is deemed compliant with the SHIELD Act’s security requirements when it creates the following administrative, technical, and physical safeguards:

Administrative Safeguards:

Technical Safeguards:

Physical Safeguards:

Companies should update their incident response plans to incorporate the expanded definition of private information and provide a procedure to document inadvertent exposure.  Companies should also review their safeguards to determine whether they satisfy the substantive safety requirements.  For assistance with compliance questions, policy review, or incident response preparation, please contact John Landolfi, Christopher Ingram, Sarah Boudouris, or your Vorys attorney.