Data breaches and identify theft are threats that consumers and businesses must protect themselves from and react to more commonly than either would like. This article: (1) outlines the requirements and procedures for companies to invoke the inadvertent disclosure exemption of the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and (2) explains the potential litigation scrutiny that can follow invoking this exception.
On July 25, 2019, Gov. Andrew Cuomo signed the SHIELD Act into law, which made several significant changes to New York’s data breach notification statute, New York General Business Law (GBL) §899-aa. See S.5575B/A.5635. The changes, include, among others: (1) adding an exemption to the individual notice requirement for “inadvertent disclosure,” GBL §899-aa(2)(a); (2) broadening the definition of “breach” to encompass “access” in addition to acquisition when it “is reasonably believed” that the “information was viewed, communicated with, used, or altered,” id. §899-aa(1)(c); (3) broadening the legal definition of “private information” (that is subject to a breach notice and data security requirement) to also include “account number, credit or debit card number … without additional identifying information, security code, access code, or password,” biometric information, and “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account,” id. §899-aa(1)(b); (4) imposing additional “reasonable” data security requirements on businesses, which requires the implementation of a statutorily compliant data security program for companies not otherwise regulated, id. §899-bb(2); and (5) expanding the geographical scope of the statute to cover any company that “owns or licenses computerized data which includes private information of a resident of New York,” id. §899-bb(2). The changes to the notification requirements took effect Oct. 23, 2019, and the data security requirements took effect on March 21, 2020.
