December 5, 2023


Advocacy. Mediation. Success.

Look Out Marvel, There’s a NEW SHIELD in Town

For Marvel Enjoyment supporters, this one’s for you: Phase aside Nick Fury, New York has a new Shield.  New York condition lately handed a new regulation extending protections from cyber-assaults for its people with NY Senate Bill S5575B, also recognized as the “Stop Hacks and Make improvements to Electronic Details Security Act” or Shield Act, for quick.  This Act expands New York’s details breach notification statute in definition, discover, scope, and compliance requirements of any particular person or organization managing New York residents’ computerized private facts.

The Shield Act 1st redefines “private information” to include things like username or e-mail handle in mixture with a password or safety issue and response for online accounts as nicely as biometric facts.  It also enables for reporting a breach if an account or credit score card amount alone (i.e. without the need of an account entry code or password) is compromised “if situation exist whereby this kind of amount could be used to entry an individual’s money account without the need of extra pinpointing facts, safety code, entry code, or password.”  Slightly extra nuanced, it expands the definition of “breach of safety of the system” to include things like an unauthorized entry of private facts as nicely as an unauthorized acquisition.  Addition of “access” means the statute will be activated without the need of an incident possessing to access “acquisition,” a term extra conveniently applicable in scenarios impacting command, possession and use of that private facts.

Discover provisions are also expanded underneath the Shield Act to include things like a damage evaluation analysis witnessed in other states’ notification resolve process.  Only put, inadvertent disclosure of private facts by licensed people will not require discover, delivered the organization fairly decides that this kind of disclosure will not likely result in misuse of that facts or money damage (or psychological damage in specified precise cases).  Procedural aspects need to be adopted like placing this kind of resolve and rationale in creating and retaining for five decades.  For an incident impacting above five hundred people, the Attorney Typical need to be delivered that resolve.

The Shield Act also expands scope of the breach notification statute and now has global implications as it addresses any individual or organization that “owns or  licenses” any this kind of “private information” belonging to people of New York, regardless of area.  Whether you run a bodega in the Bronx or a tech get started-up in Wakanda (a different Marvel reference!), if you have private facts about a New York resident, you are in just scope of Shield enforcement.

The final component of SHIELD’s enlargement includes compliance.  Especially, it generates a new Part 899-bb that needs all businesses to have substantive details protections in position to safeguard “private information” via implementation of a details safety plan.  The details safety plan need to include things like realistic administrative, technical, and physical safeguards to safeguard private facts.  Section 899-bb identifies precise criteria that each of the safeguard pillars may perhaps comprise in order to be compliant, this kind of as appointing an employee to coordinate the plan (administrative) community threat assessments (technical) and intrusion detection (physical).  It also accounts for scalability for details protection systems for tiny businesses.  For this seemingly sweeping mandate underneath Part 899-bb, there is a saving grace.  If a organization is already compliant with GLBA, HIPAA Aspect five hundred or any other federal or New York condition details safety principles, restrictions, or statutes, Part 899-bb does not use.  Absent application of this exception nevertheless, a failure to comply with 899-bb can lead to injunctive relief or the award of damages for real costs or losses (like consequential money losses) to a individual entitled to discover.  A realizing or reckless violation of the Report could lead to a civil penalty of the better of $5,000 or up to $twenty for each instance of failed notification, with an upper limit of $250,000 in penalty.  The Shield Act also enhances the time interval to bring an enforcement action from two to three decades.  Lastly, the Shield Act leaves open the chance that even without the need of an incident of breach, the AG could request to impose penalties for failure to comply with the 899-bb safeguard requirements.

Specified the complexity and the character of the amendments the Shield Act provides, businesses are nicely suggested to pay out shut focus to their obligations to undertake realistic safety actions to safeguard New York residents’ private facts, as nicely as to give discover in the unfortunate function of details breach.  The Shield Act breach notification amendments are effective on October 23, 2019, even though the details safety requirements are effective on March 21, 2020.  This offers a grace interval for businesses to get into compliance a task produced considerably simpler with coordination and session with breach notification legal experts.