Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. The New York SHIELD Act — What You Need to KnowArticles

    Article

    The New York SHIELD Act — What You Need to Know

    Aug 14, 2019

    Share

    By Jenny Holmes

    At the end of July, New York Governor Andrew Cuomo signed into law the Stop Hack and Improve Electronic Data Security Act (SHIELD Act) amending and expanding New York’s current data breach notification law, which may affect persons or companies that do not even conduct business in New York.

    At the end of July, New York Governor Andrew Cuomo signed into law the Stop Hack and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act amends and expands New York’s current data breach notification law, which may affect persons or companies that do not even conduct business in New York. Here’s what you need to know ahead of the March 21, 2020, effective date:

    Who must comply?

    Any person or business that owns or licenses computerized data, which includes private information of New York residents, must comply with the SHIELD Act, regardless of whether that person or business even conducts business in New York.

    An expanded definition of "private information."

    New York’s data breach notification law has always varied from similar laws in other states in that it includes definitions for both “personal information” and “private information.” Under the SHIELD Act, “personal information” remains “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” “Private information” captures the information that, if breached, could trigger a notification requirement. The SHIELD Act expands “private information” to include:

    • Personal information consisting of any information in combination with one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired
      • Social security number,
      • Driver’s license number or non-driver identification card number,
      • Financial account numbers with required security codes or access codes, or
      • Biometric information.
    • A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

    Access alone constitutes a "breach of the security of the system."

    The SHIELD Act broadens the phrase “breach of the security of the system,” which consequently broadens the circumstances under which notification is required. Notably, the SHIELD Act includes in the definition of “breach of the security of the system” incidents that involve “access” to private information, regardless of whether the access led to “acquisition” of the information. Under the original New York data breach notification law, data must have been acquired to constitute a breach. The SHIELD Act keeps intact certain exceptions to the definition of “breach” including the “good faith employee” exception and provides factors for determining whether there has been unauthorized access to private information.

    Notably, companies that are already subject to the data breach notification requirements under certain applicable state or federal laws, including HIPAA, GLBA, and the NYS DFS Regulation 500, are not required to further notify affected individuals. However, notifications to the New York Attorney General, the New York State Department of Consumer Protection, and the New York State Police are still required.

    A risk assessment is now permitted.

    The SHIELD Act does not require notification of the breach if “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” This risk assessment should be memorialized in writing.

    Reasonable data security requirements are imposed.

    The SHIELD Act also imposes data security requirements on any person or business that owns or licenses computerized data that includes private information of New York residents. These security requirements must be designed to protect the security, confidentiality, and integrity of the private information. The SHIELD Act provides examples of practices that are considered reasonable, including: (i) risk assessments, (ii) employee training, (iii) due diligence for vendor selection, and (iv) data retention and disposal policies.

    Companies subject to HIPAA and the GLBA are already deemed to be in compliance with these requirements. While this requirement applies to businesses of all sizes, data security safeguards may be implemented and maintained that are “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” For purposes of the SHIELD Act, a small business is any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.

    There are potential penalties

    While the SHIELD Act does not provide for a private right of action, the attorney general may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice. For data breach notification violations that are knowing and reckless, the court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For violations of the reasonable security measures, the court may impose penalties of not more than $5,000 per violation.

    If you have further questions about the SHIELD Act and how it may impact your business, employees, or consumers, please contact a member of our team.

    PrivacyConsumer Privacy

    Practices

    Cybersecurity & Privacy

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL