On July 26, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (also known as the SHIELD Act), requiring individuals and businesses to implement safeguards for the “private information” of New York residents and broadening New York’s security breach notification requirements. Every employer in New York must comply with the SHIELD Act because “private information” includes an individual’s name and Social Security number. Although the SHIELD Act does not authorize a private right of action, the New York State Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. Such penalties could be costly, as the SHIELD Act permits the Attorney General to seek penalties of up to $250,000. Even more costly than the penalties themselves could be the costs incurred in responding to an investigation commenced by the Attorney General, including legal fees and the costs of retaining an expert.
Generally, under New York law, fines and penalties are not insurable as a matter of public policy. This raises the question of whether penalties imposed by courts as a result of a violation of the SHIELD Act would be covered by a business’s cyber insurance, or any other type of insurance policy. This article will examine the SHIELD Act, and the requirements it imposes on businesses. This article will also discuss the current state of the law regarding the insurability of civil fines and penalties in New York, and its implications on whether coverage would be permitted for penalties imposed under the SHIELD Act.
