As mega-breaches heighten concern about the security of personal information and a federal solution does not appear forthcoming, New York recently joined the growing list of states imposing their own security obligations on businesses. On July 26, 2019, New York's governor signed the "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, requiring businesses to implement safeguards for the "private information" of New York residents and broadening New York's security breach notification requirements.
Every employer with employees in New York must comply with the SHIELD Act because "private information" includes an individual's name and Social Security number. Beyond that, many businesses without a New York presence may be required to comply as the law applies to any business that maintains the "private information" of New York residents. That term includes—in in addition to a Social Security number—a driver's license number; credit or debit card number; financial account number, with or without security code, as long as an unauthorized person could gain access to the account; biometric information; and username or e-mail address with a password that permits access to an online account. Given the SHIELD Act's breadth and the fact that it imposes requirements directly relevant to human resources professionals and in-house employment counsel, every employer needs to understand and address the SHIELD Act's implications for employers.
HR's Role in Implementing a Data Security Program
The SHIELD Act requires employers in possession of New York residents' private information to "develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information."1 The SHIELD Act does not mandate specific safeguards but instead provides that a business will "be deemed to be in compliance with" this standard if it implements a "data security program" that includes all of the elements enumerated in the SHIELD Act. Some key elements with relevance to HR stakeholders include the following:2
- Designating an employee or employees to coordinate the data security program.
- Training and managing employees in the security program practices and procedures.
- Assessing internal and external risks and implementing controls to reduce those risks.
- Vetting service providers and binding them contractually to safeguard private information.
- Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.
The human resources team can play an important role in each of these elements of a data security program. HR may need to ensure that employees designated to implement the data security program have the bandwidth to perform these responsibilities in addition to other assigned responsibilities. Employee training typically is an HR responsibility, and information security training for line employees should focus on proper handling of sensitive information, a natural topic for HR professionals. While risk assessments may focus heavily on technical threats, they also need to assess threats raised by negligent and malicious insiders. HR departments routinely outsource functions involving "private information." HR professionals should ensure that those vendors' data security programs are properly vetted and that legal counsel has included adequate information security terms in vendor agreements. Finally, HR needs to ensure that records containing the private information of New York employees are securely destroyed promptly after the applicable retention period expires.
Two types of businesses can satisfy the "reasonable safeguards" requirement other than by implementing a data security program as defined by the SHIELD Act. Small businesses—those with fewer than 50 employees or less than $3 million in gross annual revenue—need only ensure that their data security safeguards are "appropriate for the size and complexity" of the small business, the "nature and scope" of the small businesses' activities, and the sensitivity of the personal information the small business handles.3 Businesses, large or small, that are in compliance with other regulatory schemes requiring information security, such as the Gramm-Leach-Bliley Act, the HIPAA Security Rule, or the New York State Department of Financial Services' "Cybersecurity Requirements for Financial Services Companies," are deemed compliant with the SHIELD Act.4
Critically, the SHIELD Act specifically states that it does not confer a private right of action but rather provides for enforcement by the state's attorney general. The SHIELD Act's data security requirements take effect on March 21, 2020.
Expanded Breach Notification Requirements
The SHIELD Act also amends New York's existing security breach notification law to broaden notification obligations. HR professionals and in-house employment counsel at organizations with New York employees need to be familiar with these changes.
The SHIELD Act substantially expands the definition of "private information," which, if compromised, could trigger notification obligations. Private information now includes—in addition to Social Security number, driver's license number, credit or debit card number, or financial account number with any required security code—the following: (a) biometric information; (b) e-mail addresses and corresponding passwords or security questions and answers; and (c) financial account number without a required security code if an unauthorized person, nonetheless, could access the account.5 The addition of biometric information is significant for employers, as many now rely on biometric time clocks to record employee time. E-mail address and password also is a notable addition for employers as they move increasingly to web-based e-mail accounts for corporate e-mail.
The SHIELD Act also expands the definition of "breach," another significant change for employers. "Breach" now includes unauthorized "access," rather than solely unauthorized acquisition.6 This addition is critical for employers that have moved to web-based e-mail accounts for corporate e-mail. When these accounts are hacked, which can occur when employees are duped into disclosing their account credentials in response to a phishing e-mail, an employer often can establish that no information was exfiltrated or acquired from the account. However, employers typically cannot establish that the hacker did not access private information that may be stored within the account. Consequently, the training required for a compliant data security program should educate employees on how to identify, and avoid responding to, phishing e-mail.
The SHIELD Act adds an important carve-out from the breach notification requirement for inadvertent disclosures of private information that are not likely to result in misuse of information.7 Human resources professionals might, for example, accidentally e-mail documents or spreadsheets containing Social Security numbers to the wrong employee. To benefit from this exception, the employer must (a) document its determination that the inadvertent disclosure is not likely to result in misuse, and (b) maintain that documentation for five years. Moreover, if the incident were to involve the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state's attorney general within 10 days of that determination.8
While the SHIELD Act, as noted above, does not permit a private right of action, it doubles the penalty recoverable by the attorney general from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.9 The breach notification amendments take effect on October 23, 2019.
Implications for Employers
The SHIELD Act highlights the importance of HR professionals' and in-house employment counsel's involvement in their organization's information security efforts. These stakeholders are ideally situated to support an organization's data security program, by considering the following steps:
- Ensuring that designated employees are able to fulfill their responsibilities to implement and maintain the data security program;
- Helping to train employees on data security;
- Assisting IT in assessing information security risk posed by negligent or malicious insiders;
- Negotiating information security provisions in agreements with vendors that handle private information;
- Helping to ensure that HR information is securely destroyed promptly after data retention periods expire (assuming a legal hold has not been implemented).
When a security incident occurs involving HR data, these stakeholders can play a critical role. For example, they can evaluate whether an authorized employee's disclosure of private information was inadvertent and, if so, the likelihood that the information will be misused. They also will be critical to investigations into whether a hacked, web-based corporate e-mail account contains private information because of their knowledge of the victimized employee's job responsibilities. In short, the SHIELD Act highlights why and how HR should support an organization's information security or IT team to enhance the organization's data security program.
1 N.Y. Gen. Bus. L. §899-bb(2).
2 N.Y. Gen. Bus. L. §899-bb(2)(b)(ii).
3 N.Y. Gen. Bus. L. §899-bb(2)(c).
4 N.Y. Gen. Bus. L. §899-bb(2)(b)(i).
5 N.Y. Gen. Bus. L. §899-aa(b).
6 N.Y. Gen. Bus. L. §899-aa(c).
7 N.Y. Gen. Bus. L. §899-aa(2)(a).
9 N.Y. Gen. Bus. L. §899-aa(6)(c).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.