New SHIELD Act Provisions Take Effect in March, Additional Legislation Pending
As more states consider and implement privacy legislation, companies should examine what information they collect; why the information is collected; who has access to the information; how the information is protected from unauthorized access; and whether the company is prepared in the event of a breach.
February 26, 2020 at 11:00 AM
7 minute read
An amendment to New York's data breach notification law, the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), will take effect on March 21, 2020. The amendment to the SHIELD Act creates stricter data security over confidential personal information and breach notification requirements to protect New Yorkers following a breach.
The amendments to the SHIELD Act broaden the law's reach applying to any company that collects personal information of New York residents, even if the company does not conduct business within the state of New York. The information protected under the SHIELD Act includes: social Security numbers, drivers' licenses numbers, credit or debit card numbers, financial account numbers with or without security codes, biometric information, email addresses, email passwords, and email security questions and answers.
The amendments also broaden the definition of "breach," which is newly defined as requiring only unauthorized access to confidential information to constitute a breach, even if the accessor fails to take or use the information obtained. Once a breach occurs, companies must notify consumers "immediately following discovery." Notice to consumers must include:
… contact information for the person or business making the notification, the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and a description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so accessed or acquired.
There are two exceptions to the SHIELD Act's notification requirement: (1) when the breach was inadvertent by someone who had authority to access the information and reasonably determines that the exposure will not likely result in misuse or harm; or (2) if notice of the breach is made to affected persons through another breach notification law, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996.
To prevent breaches from occurring, the amendments to the SHIELD Act also require companies that own or license computerized data containing private information to "develop, implement and maintain reasonable safeguards." Businesses can comply with this requirement upon implementation of a data security program that includes any of the following:
- Reasonable administrative safeguards, such as: designating an employee to coordinate the security program; identifying reasonably foreseeable internal and external risks; assessing the sufficiency of safeguards in place to control the identified risks; training and managing employees in the security program and practices; and adjusting the security program in light of business changes or new circumstances
- Reasonable technical safeguards, such as: assessing risks in network and software design; assessing risks in information processing, transmission and storage; detecting, preventing and responding to attacks or system failures; regularly testing and monitoring the effectiveness of key controls, systems and procedures
- Reasonable physical safeguards, such as: assessing risks of information storage and disposal; detecting, preventing and responding to intrusions; protecting against unauthorized access; and disposing of private information within reasonable time after it is no longer needed for business purposes.
The SHIELD Act limits liability to actions brought by the Attorney General. Civil damages in the event of a knowing or reckless violation of the SHIELD Act can amount to the greater of $5,000 or up to $20 dollars per instance of failed notification, not to exceed $250,000.
|The New York Privacy Act
The passage of the SHIELD Act last year came after the introduction of SB-5642, known as the "New York Privacy Act" (NYPA). Currently pending before New York's Senate Consumer Protection Committee, the NYPA, if passed, would arguably become the strictest data privacy law in the country.
While the NYPA is largely based on the California Consumer Privacy Act (CCPA), it contains some notable distinctions. Unlike the CCPA, the NYPA would apply to all companies that conduct business in the state or produce products or services that intentionally target New York residents. This would be broader than the applicability of the CCPA and much of the privacy legislation pending in other states that base applicability upon annual revenue.
A unique provision of the NYPA is its requirement that companies act as "data fiduciaries" when collecting New York residents' personal data. To be in compliance with this section of the NYPA, companies must "act in the best interests of the consumer, without regard to the interests of the entity … in a manner expected by a reasonable consumer under the circumstances." In this capacity, companies must reasonably secure personal information from unauthorized access and promptly inform consumers in the event of a breach. Further, companies must safeguard against "privacy risks," or "potential adverse consequences to consumers and society arising from the processing of personal data," that could result in the following harm to consumers:
direct or indirect financial loss or economic harm; psychological harm, such as anxiety, embarrassment, fear and other demonstrable mental trauma; significant inconvenience; adverse effect relating to a person's eligibility for rights, benefits or privileges in employment, credit and insurance, housing, education, professional certification or the provision of health care services; stigmatization or reputational harm; disruption and intrusion from unwanted commercial communications; price discrimination; effects that are reasonably foreseeable to the company; and other adverse consequences that effect an individual's private life.
Additionally, data fiduciaries under the NYPA cannot use personal information to the detriment of the consumer or in a way that would foreseeably and materially harm or be highly offensive to a reasonable consumer. "Materially harm" and "highly offensive to a reasonable consumer" are undefined currently. It will be interesting to see if and how lawmakers decide to define these terms.
Another distinct feature of the NYPA is the requirement that consumers "opt in" to the collection of their personal data. Absent clear consent, companies may not use, process or transfer a consumer's personal information. The concept of consumers "opting-in" is consistent with the European Union's General Data Protection Regulation (GDPR), rather than the CCPA, which requires consumers to "opt-out" of having their data collected.
Similar to the GDPR and CCPA, the NYPA provides consumers with numerous rights, such as the right of consumers to: access their personal data; request a correction of their personal information; request a company to complete incomplete personal information; request a deletion of their personal information; and request a company to stop processing personal information.
The Attorney General can bring an action on behalf of the state of New York to seek redress against companies who fail to comply with the NYPA. Additionally, consumers have a private right of action and can pursue either an injunction or actual damages for NYPA violations. Unlike the CCPA, whose limits provide consumers with statutory damages per violation without needing to show how a breach of the CCPA actually damaged the individual consumer, the NYPA awards damages to consumers only if actual damages can be proven, likely making it more difficult for consumers to sustain a cause of action.
|The Takeaway
Privacy is now an important part of conducting business every day. As more states consider and implement privacy legislation, companies should examine what information they collect; why the information is collected; who has access to the information; how the information is protected from unauthorized access; and whether the company is prepared in the event of a breach. These considerations are important and necessary steps to ensure compliance with existing laws and to be fully prepared for compliance with laws that are pending legislation but coming soon. Companies that fail to take action and ignore compliance risk government enforcement, class action lawsuits, damage to its reputation, financial consequences, and loss of customers.
Christopher A. Iacono is a partner of Pietragallo Gordon Alfano Bosick & Raspanti, where he practices in the cybersecurity and privacy, government enforcement, compliance, and white-collar litigation, and commercial litigation groups. Gabrielle I. Weiss is an associate in the firm's cybersecurity and privacy and employment and labor groups.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCan Law Firms Avoid Landing on 'Enemy' List During the Trump Administration?
5 minute readLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250