Earlier this month, on November 2, New York Attorney General Eric T. Schneiderman announced that he was working with New York state legislators to introduce comprehensive new legislation to address data breaches and data privacy.  After pointing to the Equifax breach as the impetus of the legislation, the Attorney General’s Office also explained that it had received over 1,300 data breach notifications in 2016, affecting 1.6 million New Yorkers.  To address these issues, the proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act would require companies to take steps to protect private information, broadens the type of private information covered, and increases potential penalties for failures to comply with the law.  This post summarizes the key aspects of the proposed legislation, and compares it to other recently enacted data privacy legislation.

As compared to the existing state laws, N.Y. Gen. Bus. Law § 899.aa and N.Y. State Tech. Law § 208, the key features of this proposed legislation are:

  • It broadens the definition of “private information” covered by the protections of state law to include financial account information, email and password combinations, biometric information and health information as defined in the Health Insurance Portability and Accountability Act (HIPAA).
  • It lowers the required notification trigger for breaches to unauthorized “access” of private information, versus the current standard which requires “acquisition.”  This is similar to standards in Connecticut and New Jersey, and means that just the unauthorized viewing of private information would constitute a breach under these provisions.
  • It creates an affirmative requirement to maintain “reasonable administrative, technical, and physical safeguards” to protect private information.
  • It creates an affirmative requirement to dispose of private information that is no longer needed.
  • Although the Attorney General can already enforce violations of the breach notification provisions, including by seeking penalties, pursuant to N.Y. Gen. Bus. Law § 899.aa(6)(a), the proposed law would permit the Attorney General’s Office to seek penalties for those entities that fail to implement and maintain the reasonable safeguards set out in the statute, with fines reaching up to $5,000 per violation, pursuant to N.Y. Gen. Bus. Law § 350-d.
  • However, it also creates a safe harbor from enforcement for companies obtaining independent certification that they comply with one of several data security regimes, such as HIPAA, the Gramm-Leach-Bliley Act, or the law’s own newly-introduced standard.  There is an exception to the safe harbor in cases of bad faith, willful misconduct or gross negligence.
  • This law would apply to any company holding the data of New York residents, as opposed to the current standard that only applies to companies that “conduct business” in New York.

If the legislation is ultimately enacted, New York would be following in the footsteps of similar laws recently enacted by other states, such as Delaware and Maryland, in expanding the scope of private information covered and companies’ affirmative obligations to protect that information.  At the same time, it is more expansive in certain areas and less so in others.  For example, although Delaware recently expanded its law to apply to all Delaware companies, the SHIELD Act would cover all companies holding the private information of New Yorkers.  The SHIELD Act is also expansive because it requires notice to the Office of the Attorney General regardless of the number of residents affected, unlike numerous states such as California, Delaware and Florida which only require similar law enforcement notification when more than 500 or more residents are impacted.  On the other hand, the SHIELD Act did not impose a requirement to provide credit monitoring, and left in place the current statutory requirement for customers to be notified in the “most expedient time possible.”  In contrast, under its new legislation, Delaware will now require companies to provide credit monitoring when a Social Security number is compromised, and requires notice to be given within 60 days after the breach.  Similarly, the new Maryland law requires notice within 45 days after a business concludes a breach occurred and personal information may have been misused.

The press release announcing the proposed legislation from the New York Attorney General’s Office can be found here, and the text of the senate bill introduced by New York state Senator David Carlucci can be found here.