New York’s new SHIELD Act imposes sweeping new cybersecurity obligations on any company that holds private information of New York residents as well as penalties for noncompliance. The law also adds new triggers for when a business must notify individuals of a breach, and a recent precedent may help businesses understand how state authorities are likely to apply the new provisions.
The Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which was signed into law last week by New York Governor Andrew Cuomo:
- requires any company holding New Yorkers’ data to implement “reasonable” data security safeguards (even if the company does not do business in New York);
- expands the types of information and cybersecurity incidents for which covered entities must notify affected individuals; and
- raises the civil penalties for violating data breach notification rules.
The SHIELD Act focuses on security, not privacy, and by doing so, it complements existing state and federal laws rather than merely replicating them. Notably, the SHIELD Act could indicate that large states are “dividing and conquering” key cyber issues, with some tackling security and others taking on privacy. Since many large businesses will likely be subject to the law of every major state, having a de facto lead for different cyber risks could potentially help businesses streamline their regulatory compliance (compared to, for example, the patchwork of overlapping and sometimes conflicting requirements of the 50 States’ data breach notification laws).
For example, the recent California Consumer Privacy Act (CCPA) requires covered entities to (among other things): (1) provide California residents with the right to opt out of the sale of their personal information; (2) designate methods for submitting data access requests; and (3) update privacy policies to reflect CCPA requirements. The SHIELD Act, by contrast, does not include specific privacy requirements. Instead, it sets out specific administrative, technical, and physical safeguards that “shall” be deemed “reasonable” security measures. In other words, the SHIELD Act is not a New York version of the CCPA that heralds the wave of CCPA copycats that some commentators predicted. Instead, the SHIELD Act focuses on security and emphasizes how security is a moving target that must be continuously revisited in light of changed circumstances, incidents, and the evolving needs of a business.
The SHIELD Act “divides and conquers” with federal regulators, too. As is common in state cybersecurity laws, the SHIELD Act does not impose additional individual breach notification obligations on entities that comply with the breach notification requirements of federal laws like the Gramm-Leach-Bliley Act or HIPAA, for example. (Hacked companies are still required to notify the New York Attorney General, New York State Division of Consumer Protection, and the Division of the State Police, however.)
Indeed, New York authorities may rely on their past experience with federal privacy laws to inform their SHIELD Act enforcement actions. Specifically, a recent New York HIPAA enforcement action may foreshadow how the State’s Attorney General is likely to enforce one of the SHIELD Act’s key features: before the SHIELD Act, New York’s data breach statute required notification when unauthorized users “acquire[d]” private information (or were reasonably believed to have done so). The SHIELD Act expands the notification requirement to include incidents when private information is “accessed,” but not necessarily “acquired.”
In 2018, the New York Attorney General and the Arc of Erie County reached a $200,000 settlement for HIPAA violations based on findings that: (1) “the [sensitive] information was publically available on the internet from July 2015 to February 2018”; (2) “unknown individuals … had accessed the links with the sensitive information”; and (3) “[t]here was no evidence of malware or other malicious software on the system or any ongoing communications with outside IP addresses.” The press release announcing the settlement noted that HIPAA requires covered entities to “safeguard” health information by using “appropriate administrative, physical, and technical safeguards,” language that closely tracks the SHIELD Act. (Unsurprisingly, since the administrative-physical-technical triad is ubiquitous in the cybersecurity world.) The Attorney General concluded that the Arc of Erie County violated that responsibility by maintaining information in a way that let unauthorized users view it (even if the unauthorized users did not necessarily misuse or “acquire” the information).
Based on this penalty and the inclusion of the word “access” in New York’s statute, the New York Attorney General may take the position that SHIELD Act-regulated entities have failed to implement the required “safeguards” if unauthorized users can view private information online, even if there is no indication that the information has been acquired or misused. And while the SHIELD Act provides a safe harbor for breach notification (no notification is required if a company “reasonably determines” that an “inadvertent disclosure…will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm [in certain circumstances]”), companies documenting those “reasonable determinations” may wish to consider that the Arc of Erie County still ended up paying a penalty without “any evidence of malware or other malicious software … or ongoing communications with outside IP addresses.”