Every state in the U.S., including New York, has some type of consumer data security and breach notification statute. However, many lawmakers and consumer advocates believe New York’s current law doesn’t go far enough. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), originally proposed by former New York Attorney General Eric Schneiderman in late 2017, would expand the scope of the data protected and increase notification requirements.
What is the SHIELD Act?
The SHIELD Act aims to enhance consumer data security by:
Expanding the Definition of Protected Data
The existing statute defines and addresses “personal information” and “private information.” Personal information includes “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.” That definition won’t change, but is relevant because the definition of private information depends on understanding what constitutes personal information.
Under the current law, private information includes any personal information (as described above) used in conjunction with a person’s social security number, driver’s license number or other account numbers in combination with security codes, access codes or passwords that would allow access to the person’s account.
One problem with the current definition of private information is that increasing use of technological solutions and quick access methods makes it possible to access many consumer accounts without a password or other access code.
While the definition of personal information would not change, under the SHIELD Act private information would expand to include:
- Financial account numbers that can be used alone to access an account, such as a credit card number
- A username or email address in combination with a password or security question and answer that would allow access to an online account
- Biometric information used to authenticate an individual’s identity
- Unsecured protected health information covered under HIPAA
This expanded definition would provide greater protection to consumers using new and evolving apps, access methods, and solutions.
Enhancing Breach Notification Requirements
The proposed law would dictate that data breach notifications include certain specific information, including contact information for state and federal agencies that provide information about data security breach and identity theft response. The new law would also impose safeguards to ensure that consumers whose email accounts were compromised receive secure notice of the breach, and require that the notifying company provide the state attorney general and other departments with a copy of the notice template.
Additional SHIELD Act Provisions
Additionally, the SHIELD Act requires companies to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data. Examples of such safeguards include:
- Identifying reasonably foreseeable risks to data security
- Selecting vendors that can maintain appropriate safeguards
- Detecting, preventing and responding to attacks and system failures
- Preventing unauthorized access to private information
As currently written, the SHIELD Act would apply to any person or entity that handles private information of New York residents, though standards are somewhat relaxed for small businesses.
Remedies Under the SHIELD Act
The new law wouldn’t provide a private right of action for consumers. Rather, the state Attorney General would be charged with enforcement. Penalties for failing to fulfill data security requirements are capped at $5,000 per violation, though it isn’t entirely clear how “violation” will be defined.
In failure to notify cases, actual damages are available in addition to civil penalties for knowing or reckless violations. These penalties are assessed as the greater of $5,000 or $20 per notification failure, up to a cap of $250,000.
The Future of the SHIELD Act
While strengthened data security and notification provisions would certainly be welcome, the future of the SHIELD Act is uncertain. Interim Attorney General Barbara Underwood declared her support for the SHIELD Act earlier this summer, and the legislation is receiving support from consumer groups, including AARP, Consumers Union, and the Partnership for New York City. However, the bill is currently in the Senate Finance Committee, with no date scheduled to bring it to the floor.
While the bill works its way through the legislature, consumers should be aware that state and federal law already provide protections for consumers who have been harmed by security breaches. If you have been the victim of identity theft and are having trouble correcting your credit report or terminating collection efforts relating to accounts that aren’t yours, an experienced consumer protection attorney can help to enforce your rights.