Your office manager accidentally clicks on a link in an email that appears to be from you. Now there are fraudulent emails being sent out from your office manager’s email account because a cyber hacker has gained access. You call your IT provider, get the situation under control, block the cyber attacker’s access, and nothing bad seems to have arisen from the mistake. Phew, disaster averted! Not quite. If you are a business holding private information of New York residents, you may now be obligated to notify affected persons, even if nothing negative happened, if the cyber-attacker had access to private information.
New York has now joined the ever-expanding list of states with broad notification requirements in the event of a data breach. On October 23, 2019, the breach notification requirements of New York’s Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, went into effect, which now imposes requirements on businesses (including law firms) both within New York and outside of the state. The SHIELD Act expands of current existing legislation in New York such as the Information Security Breach and Notification Act, as well as the N.Y. Gen. Bus. Law § 899-aa (and adding section 899–bb).
The most significant changes that the SHIELD Act imposes on existing legislation are:
- Broadening the definition of a breach
- Expanding the definition of “private information”
- Enlarging the geographical scope of businesses effected
- Imposing data security requirements
Definition of a Breach
The most significant, and immediately relevant change in the Act expands what constitutes a data breach. Previous data security legislation in New York only required notification in the event of a breach of certain private information if such information was “acquired” via unauthorized means. The SHIELD act now triggers the notification requirements if there is “unauthorized access” to private information. This is significant because the prior definition was relatively narrow. In the event of a breach, often it is very difficult to determine whether any information at all was acquired. If it could be determined that specific information was obtained, only those people whose personal information was acquired– and those people only – had to be notified. Now, the mere existence of unauthorized access into a data system containing private information, whether it is clear such information was acquired or not, can trigger notification requirements to every single client who is a New York resident whose private information was contained on the data system. This means more data breach incidents will require notification, if not all.
Definition of Private Information
The SHIELD Act expands the scope of private information that triggers notification requirements once accessed without authority. Private information includes personal information (such as someone’s name) in combination with an identifying “data element” such as a social security numbers and driver’s license numbers or non-driver identification card numbers. The SHIELD Act now adds as data elements: (1) account, credit card or debit card numbers which provide access to a financial account without a password and (2) biometric information used to authenticate identity such as fingerprint, voice, and retinal scans. Notification requirements are also now triggered when in the event of unauthorized access to a user name or email address in combination with a password or other information which would permit access to an online account (no personal information, such as a name, required).
The Shield Act makes notification requirements incredibly broad and applies to any business or person that handles the private information of a New York resident. The prior statute only applied to entities conducting business in New York State. Now, if you are a Florida law firm holding the social security number of a New York client for a property transaction, the Act applies to you.
Notification entails notice to the affected persons as well to the Attorney General, the Department of State Consumer Protection Board, and state police regarding “the timing, content and distribution of the notices and approximate number of affected persons.” Because of this, a breach can become time consuming and expensive, not to mention the potential hit to professional reputation.
Not all breaches trigger reporting requirements under the Act, based on a "harm to the individual" standard. There is an exemption that applies if the exposure of private information was an “inadvertent disclosure” and reasonably determined not to likely “result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials." § 899-aa(2)(a). This determination must be documented in writing and maintained for five years.
Data Security Requirements
Previous rules only required businesses to act after a data breach, the SHIELD Act now imposes affirmative data security requirements, which take effect March 21, 2020, which could represent additional financial burden on businesses working with New York residents. However, like much of the current rules in place requiring data safeguards, the scope of what is necessary under the Act remains unclear.
Following the language of legal ethics opinions and the ABA Model Rules of Professional Conduct, the Act requires businesses and persons subject to its provisions to maintain “reasonable safeguards” to protect the security, confidentiality, and integrity of the information. The use of the term “reasonable” instead of a specific security guideline leaves the requirements almost intentionally vague and flexible. This is seemingly because what might be a reasonable safeguard for a large nationwide company with private data systems holding millions of users’ credit card information will be vastly different than a solo practitioner attorney with a single email address containing emails with social security numbers of a handful of clients.
The Act provides that a person or business meets the new standards if they implement a data security program which maintains protections under three categories: (1) reasonable administrative safeguards, (2) reasonable technical safeguards, and (3) reasonable physical safeguards. However, this requirement only applies to businesses that are not subject to, and compliant with, other specified legislation covering data security such as the Gramm-Leach-Bliley Act, the Health Insurance Portability And Accountability Act (“HIPAA”), the Health Information Technology For Economic And Clinical Health Act, and New York Department of Financial Services Cyber Security Regulation (23 NYCRR 500) regulating financial institutions.
Reasonable administrative safeguards are about planning and foresight with regard to data breaches. These administrative protections include requiring a person or business to (1) designate employees to coordinate a security program, (2) identify reasonably foreseeable internal and external risks, (3) assess the sufficiency of safeguards in place to control the identified risks, (4) train and manage employees in security program practices and procedures, (5) select service providers capable of maintaining appropriate safeguards and require those safeguards by contract, and (6) adjust the security program in light of business changes or new circumstances.
Technical safeguards would seem to be the most easily defined prescriptions. A person or business meets these requirements if they assess risks in network and software design as well as in information processing, transmission and storage. They must also detect, prevent and respond to attacks or system failures and regularly test and monitor the effectiveness of key controls, systems and procedures.
Finally, the requirements for physical safeguards are to (1) access risks of information storage and disposal, (2) detect, prevent, and respond to intrusions, (3) protect against unauthorized access or use of private information during or after the collection, transportation or disposal of the information, and (4) dispose of private information within a reasonable time frame after it is no longer needed for business purposes. For law firms, who generally have obligations to maintain files after the termination of representation for a certain amount of time (for example, 7 years in New York and 5 years under the Model Rules), the “reasonable time frame” until private information must be disposed of may be fairly lengthy.
These new required standards are far reaching and very broadly construed. There is no legal definition for the safeguards described in the law, and it remains to be seen how they will be enforced.
There are carve outs for small businesses, defined as a person or businesses with fewer than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets. Although small businesses do not have to undertake the extensive assessment described here, they are still required to implement “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.” Needless to say, these measures are even less well defined than those detailed above, again, perhaps intentionally so to allow for flexibility depending on the realities of the amount of risk and financial constraints of the small business so as not to impose prohibitively expensive requirements.
Other Notification Requirements
The Act also has some other specialized changes including requiring covered entities under HIPAA, who triggered the reporting provision of HIPAA requiring reporting to the Secretary of Health and Human Services, to also report to the State Attorney General, even if the data at issue does not count as Private Information under the SHIELD Act.
The SHIELD Act also enlarges the civil penalties for breach notification violations, which may be set up to twenty dollars per instance of failed notification, with a maximum cap of $250,000. The Act authorizes the Attorney General to obtain civil penalties and actual costs and losses as a result of a failure to notify, but does not provide for private causes of action. For violations of the data security standards, penalties may be imposed up to $5,000 per violation.
How should those entities that handle New Yorkers’ private information respond to these changes inherent in the SHIELD Act? Reviewing the security programs already in place is a good first step. Explore what kind of data is handled and stored, and how is it protected. Think about implementing a data breach protocol and become familiar with reporting and notification requirements. Updated policies and procedures may be necessary.
As the law is becomes better understood through practice and enforcement, there will undoubtedly be some adjustment on the part of those affected by the act and those who enforce it.
This article was prepared by Rachel Aghassi and Asher Kest of the New York City-based law firm of Furman Kornfeld & Brennan LLP. Rachel and Asher are part of a team of 36 lawyers and paralegals devoted to the defense of attorneys and other professionals in malpractice and disciplinary matters, as well as the defense of construction and personal-injury accidents. For more information about the above topic or authors, please visit: www.fkblaw.com We trust that the article was useful and thought-provoking; however, please note that it is intended as a general guide and opinion only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke at USI Affinity today.
 Previous rules only included this as a data element with a password.