The New York State legislature passed the "Stop Hacks and Improve Electronic Data Security Act" (the "SHIELD Act") to enhance cybersecurity protections for New York residents by expanding the state's existing data breach notification requirements.

The legislation:

  • widens the definition of "private information" to include biometric data, a username or email address, and a password, or security questions and answers that would permit access to an online account;

  • expands the definition of "data breach" to include unauthorized access to private information on a data system, even if such private information is not stolen;

  • extends the breach notification requirement to include any person or entity that owns or licenses computerized data that includes private information, even in the absence of a New York business enterprise;

  • updates the notification procedures following a data breach; and

  • enacts "reasonable" data security safeguard requirements, including the designation of cybersecurity personnel, sufficient data protection controls, and employee training on cybersecurity practices and procedures.

Failure to comply would result in fines of $5,000 per violation, or $20 per notification failure (up from $10), for a total of up to $250,000 (up from $150,000).

The bill is now pending the signature of Governor Andrew Cuomo.

Commentary / Joseph V. Moreno

The SHIELD Act, which was proposed in the wake of the Equifax data breach in 2017 and has been in legislative limbo ever since, would be a significant expansion of New York's breach notification law. If enacted, the bill would add New York to the minority of states in which unauthorized "access" to data systems is sufficient to constitute a breach, regardless of whether any private information is actually "acquired" (or "exfiltrated"). This distinction could be especially significant in the ransomware context in which private information may not be stolen but nonetheless may be accessed in a way that would now constitute a data breach and may trigger notification obligations.

Unlike the EU's General Data Protection Regulation (GDPR) and California's new California Consumer Privacy Act (CCPA), the SHIELD Act would not regulate the collection or sharing of customer information, nor would it replace New York's existing breach notification requirement of "without reasonable delay" with a more aggressive standard such as the GDPR's 72-hour standard. However, the bill is among the nation's most stringent when it comes to breach notification requirements, and constitutes a reminder that the United States continues to operate without a single federal data breach standard.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.