New York on Verge of Passing Landmark Data Security Legislation
What You Need To Know:
Bill Amends Existing Law to Expand Consumer Rights and Enhance Cybersecurity
On June 17, 2019, the New York Legislature approved a substantial revision of New York state’s data security and breach notification requirements under the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The bill now awaits Governor Cuomo’s signature and, if signed, will substantially impact efforts by public and private organizations to contend with breach incidents and comply with data security requirements across industries.
The SHIELD Act (the “Act”) would apply to any person or entity that processes the personal information of a New York state resident, even if such person or entity is located outside of the state. Given the size, population, and extensive business and financial influence of New York state, the Act will have national impact. With the Act, New York joins a growing list of activist states that are enacting new laws to address privacy and cybersecurity concerns.
Data Breach Implications
The Act would amend New York’s data breach law (GBL §899-AA and §899-bb) in several key areas. Specifically, the Act broadens the definition of “private information” to include biometric data, account numbers, username/email address with password or security question and answer, and unsecured “protected health information” under HIPAA. The SHIELD Act expands the definition of “data breach” to include unauthorizedaccessto private information instead of the current standard of unauthorizedacquisition. Additionally, as referenced above, the Act applies outside of its geographic boundaries. Taken together, these amendments raise the bar for companies that experience data breaches involving New York state residents by expanding their notification obligations.
There’s also some good news for business. The Act provides that inadvertent disclosures by individuals authorized to access the private information do not trigger notification requirements if the exposure will not likely result in misuse or in financial or emotional harm to the affected individuals. This “harm threshold” may operate to exempt very minor breaches from the Act.
The Act notably applies a reasonableness standard for evaluating data security standards, and carves out asde factoreasonable those entities that can demonstrate compliance with selected federal and state data security frameworks, including GLBA and HIPAA as well as other New York state data security regulations, such as the Department of Financial Services Cybersecurity Regulation. If, for example, a company meets the notification requirements of those frameworks, no further notification would be required under the Act, with the caveat that entities would still have to provide notice to New York authorities. As approved by the Legislature, the Act includes an interesting placeholder for future federal and New York state data security regulations, likely in anticipation of ongoing legislation at all levels. In a nod to small business, the Act defines “reasonable” data security in light of the size of the covered entity, and provides a suggested but not mandated road map for implementing safeguards.
- Resolutions of the Hungarian data protection authority imposing fines under the GDPR (21 June 2019)
- New UAE Regulatory Policy for the Internet of Things
- Time to Take Another Bite of S-chips
- NLRB Will No Longer Require Employers to Permit Union Organizers in “Public Space” on Employers’ Property
- Lowenstein Client Tower International (NYSE: TOWR) Agrees to Acquisition by Autokiniton Global Group in $900 Million Deal
- The Wall Street Journal: Lowenstein Sandler Is One of the Nation’s Top Power Players in Large Corporate Bankruptcies
- Lowenstein Represents Aceto Corporation in Completion of Sales of Chemical Business and Generic Pharmaceuticals Business
WSG Member: Please login to add your comment.