New York Increases Breach Notification And Security Responsibilities

Author:Mr Maxwell S. Harwitt and Steven M. Millendorf
Profession:Foley & Lardner

New York State has enacted S5575, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). This new law amends New York General Business Code 899-aa and adds Section 899-bb to significantly expand consumer privacy protections and the consequences of a data breach for businesses. The new law will go into effect on October 23, 2019.

New Definition of Private Information

Under current New York law, businesses must disclose a breach of “private information,” which was defined as any information that concerned a natural person that can be used to identify that natural person, such as name, number, personal mark, or other identifier (“personal information”), combined with certain other data elements as shown below. The SHIELD Act substantially broadens the definition of what constitutes a consumer's private information to include personal information combined with other types of data elements as shown below:

"Private Information" Prior New York Law SHIELD Act Social Security Number X X Driver's License Number/State ID X X Account Number, credit or debit card number (if the account can be accessed without additional information, security code, access code, or password) X X Biometric Data (i.e. data generated by electronic measurements of an individual's unique physical characteristics, such as fingerprints, voice prints, retina or iris images, used to authenticate or ascertain the individual's identity X User Name/Email Address combined with a Password/Security Question Answer used to access an online account X Expanded definition of Breach of the Security of the System and New Breach Notification Requirements

The SHIELD Act also expands the definition of a “breach of the security of the system” to include both unauthorized access or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the confidentiality, security, or integrity of private data. Previously, unauthorized access or access without valid authorization was not considered a breach; only the unauthorized acquisition, or acquisition without valid authorization of private data was considered a “breach of the security of the system” that could trigger an obligation on the business to notify consumers of the breach.

Under the SHIELD Act, businesses will not be required to provide notice to individuals affected by a breach if the disclosure of private information was an...

To continue reading