Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

New York

Washington, D.C.

core/separator

core/heading

core/paragraph

core/list

Privacy and data security law continues to evolve, and once again, new state laws are driving the change. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which significantly expands the state’s data breach notification law and adds new cybersecurity requirements. While the new law does not create a private right of action, it specifically authorizes the state’s attorney general to seek significant civil penalties for noncompliance.

contentpilot/introduction

Expansion of Data Breach Notification Law

The SHIELD Act expands the scope of the state’s breach notification law by broadening the types of covered personal information that trigger notification obligations and modifying the circumstances under which notification is required.

Existing New York law requires notification if an individual’s Social Security number, driver’s license or identification number, or financial account number (coupled with a security code or password), together with any personally identifiable information, is compromised. The SHIELD Act adds to this list biometric information (like fingerprints or retina scans) as well as user names and email addresses, if they are coupled with passwords or other information allowing access to online accounts. The new law also removes the requirement that a financial account number be coupled with a security code or password, if the account could be accessed without such credentials.

Importantly, the law previously only required notification of an unauthorized acquisition of computerized data. The SHIELD Act broadens this requirement by also mandating notification of an unauthorized access to protected information, a change that will undoubtedly result in more data incidents qualifying as reportable breaches. For example, it will sweep in situations where user credentials were exposed but not necessarily used, or where hackers were able to delete or lock files (such as through a ransomware attack) without actually acquiring the data. The new law also provides specific factors that businesses may use (such as indications that the information was viewed or altered) to determine whether there was unauthorized access. Interestingly, it provides an exception to the reporting obligation for inadvertent disclosures by authorized persons where there is little risk of harm, and it provides specific procedures that a company must take before using the exception. Notably, the new law does not change the time requirement for consumer notification – breaches must still be reported “in the most expedient time possible and without unreasonable delay.”

The SHIELD Act also imposes new obligations on persons maintaining private information about New York residents to “develop, implement and maintain reasonable safeguards” to protect the security of such information in both its use and disposal. In some cases, determining whether a company’s safeguards are sufficient will be relatively easy, as the SHIELD Act provides a safe harbor for organizations already covered by and complying with certain regulations, such as financial firms covered by the Gramm-Leach-Bliley Act, health care companies covered by the Health Insurance Portability and Accountability Act, and financial service providers covered by the New York Department of Financial Services cybersecurity rule. For organizations unable to take advantage of the safe harbor, the new law provides a detailed list of factors to determine whether a company has instituted sufficiently reasonable administrative, technical and physical safeguards.

A company subject to the SHIELD Act should adopt and maintain a written information security program that complies with its requirements, including addressing cybersecurity protocols, providing for employee training and designating an individual responsible for administering the program.

Thomas F. Zych 216.566.5605 <a href="mailto:Tom.Zych@ThompsonHine.com">Tom.Zych@ThompsonHine.com</a>

Steven G. Stransky 216.566.5646 <a href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a>

Craig A. Foster 614.469.3280 <a href="mailto:Craig.Foster@ThompsonHine.com">Craig.Foster@ThompsonHine.com</a>

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Privacy__Cybersecurity_Update_-_New_York_SHIELD_Act_Expands_Privacy_and_Cybersecurity_Obligations_-_July_2019.pdf

New York SHIELD Act Expands Privacy and Cybersecurity Obligations

Services