We have previously written about legal risks companies will face from the California Consumer Privacy Act (CCPA) when it goes into effect on January 1, 2020. In short, companies can be subject to consumer class actions alleging statutory damages for mishandled data—and a key defense to those suits will be evidence of reasonable security policies and procedures.
The CCPA is just one example of minimum cybersecurity standards being imposed on companies. Another important example is New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which will begin requiring substantive cybersecurity compliance on March 21, 2020.
Although the CCPA has received much more attention from companies, the SHIELD Act is also worth careful consideration because: (1) it applies to thousands of companies worldwide; (2) it imposes substantial new cybersecurity obligations on regulated organizations; (3) it aligns its standards for an effective cybersecurity program to prescriptive requirements under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and New York Department of Financial Services (NYDFS) cybersecurity requirements; and (4) it includes interesting new breach notification obligations and remedy requirements.
The Broad Reach of the SHIELD Act
New York’s existing cybersecurity and data privacy laws, N.Y. Gen. Bus. Law § 899-aa, and the NYDFS cybersecurity requirements at 23 NYCRR 500, apply only to organizations doing business in New York and those regulated by the NYDFS, respectively. By contrast, the SHIELD Act applies to any business that owns or licenses “private information” of New York residents in electronic form, regardless of whether the business otherwise operates in New York State. As a result, all companies should investigate the sources of the data they collect to assess whether the SHIELD ACT will apply to them.
Moreover, the definition of “private information” has expanded from the requirements under New York’s existing data breach notification statute, to include identifying information in conjunction with account numbers usable to access financial accounts or biometric data, as well as a user-name or email address in combination with a password or security question and answer that would permit access to an online account.
New Data Security Protection Requirements
The key evolution of the SHIELD Act is the requirement it imposes on regulated companies to implement specific data security protections. The substantive cybersecurity requirements of the Act go beyond merely requiring “reasonable security measures” like the laws of many states, including Illinois. And while New York is not the first state to impose prescriptive data security requirements, New York’s size and business importance make the requirements of the SHIELD Act harder to ignore than those imposed by some other states.
New York’s new requirements will seem familiar to entities regulated by the NYDFS. These obligations also line up with the FTC’s proposed revisions to the GLBA Safeguards Rule. But unlike those laws, which only apply to specific financial services companies, as noted above, the SHIELD Act applies broadly, bringing data security regulations for many companies in accord with those imposed on the financial sector.
Specifically, the SHIELD Act requires companies to implement significant administrative, technical, and physical safeguards:
- Administrative Safeguards:
- the designation of one or more employees to coordinate the security program;
- identification of reasonably foreseeable internal and external risks;
- assessment of the sufficiency of safeguards in place to control the identified risks;
- training and managing employees in the security program practices and procedures;
- the selection of service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
- adjusting the security program in light of business changes or new circumstances.
- Technical Safeguards:
- assessing risks in network and software design;
- assessing risks in information processing, transmission, and storage;
- detecting, preventing and responding to attacks or system failures; and
- regularly testing and monitoring the effectiveness of key controls, systems, and procedures.
- Physical Safeguards:
- assessing risks of information storage and disposal;
- detecting, preventing, and responding to intrusions;
- protecting against unauthorized access to or use of Private Information during or after the collection, transportation, and destruction or disposal of the information; and
- disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
For companies looking for assistance in implementing these requirements, see our previous blog posts on vendor diligence; data minimization and disposal (1, 2, 3, and 4); and access controls (1 and 2).
Note that small businesses that have fewer than 50 employees, under $3 million in gross revenue, or less than $5 million in assets need only implement reasonable administrative, technical, and physical safeguards appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the information collected by the business.
Safe Harbor Compliance
Companies that are already in compliance with certain existing state or federal data security laws that govern their data—such as GLBA Safeguards Rule, HIPAA, or the NYDFS cybersecurity requirements—are considered compliant.
Additional Reforms: Breach Notification and Remedies
The SHIELD Act also introduces reforms to New York’s data breach notification requirements and remedies for breach.
The Act expands the definition of a breach that requires notification to include unauthorized access to Private Information, so mere viewing of the data may trigger a requirement to notify under the SHIELD Act. But the Act also narrows companies’ breach notification obligations by imposing a harm requirement. It is interesting to note that the kinds of harm that trigger a notification obligation include emotional harm, although the Act doesn’t provide guidance on the circumstances where emotional harm could be found.
Regarding remedies, the SHIELD Act expressly does not create a private right of action. But the substantive security requirements are likely to be relevant when litigating increasingly common negligence claims in connection with a data breach that has resulted in harm to individuals. The Act also allows the New York Attorney General to seek civil penalties (up to $5,000 per violation, with no cap) for knowing or reckless failures to comply with the new data security standards, although what constitutes a single “violation” is not made clear in the Act.
With federal privacy and cybersecurity legislation apparently stalled in Congress, the SHIELD Act is the latest example of states filling the void and enacting laws that create significant new requirements on businesses, including substantive data security obligations and expanded breach notification requirements.
Close attention should also be paid to the proposed New York Privacy Act, which did not pass in the last session but is expected to be reintroduced in the next legislative term. The Privacy Act would create fiduciary duties for companies that store personal information and create a private right of action akin to the CCPA.
We will be closely watching further developments in state cyber/privacy laws here at the Davis Polk Cyber Blog, and the Davis Polk Cyber Portal is available to assist our clients in assessing and complying with these regulatory obligations.