New York SHIELD Act Expands Breach Notice Requirements Starting in October
Posted on August 27, 2019
As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019.
As amended, the scope of private information which, if breached, may trigger notification obligations to individuals will be broadened. Added to the existing definition of private information will be biometric information, username in combination with a password or security question and answer that permits access to an online account, and an account number or credit or debit card numbers without additional identifying information if the number can be used to access an individual’s financial account. The amendment similarly broadens the definition of a breach, which will now include “access” alone to triggering information (as opposed to the prior definition which limited a breach to “acquisition of” triggering information). In determining whether unauthorized access has occurred, the SHIELD Act now explains that businesses may consider “indications that the information was viewed, communicated with, used or altered.”
Companies who determine that misuse or financial harm is unlikely do not need to notify, but must document that determination and maintain it for at least 5 years. However, if the incident involves over 500 New York residents, the company will have to submit that determination in writing to the attorney general within ten days after making such a determination. The law also contains some minor additional modifications, like including in any consumer notice the phone number and website of the relevant state and federal agencies that provide information on security breach response and identity theft prevention and protection information.
PUTTING IT INTO PRACTICE: Companies that maintain a nationwide breach notice plan will want to take into account these updates to the NY notice requirements, including the expanded scope of triggering information and the definition of a “breach.”
Maryland Adds Requirements to Breach Notice Law
Posted on July 2, 2019
Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has been or will be misused. This requirement will go into effect in October 2019. Starting then, vendors who maintain information will also have a duty to investigate, not just data owners. This is unlike other states with “duty to investigate” requirements, like Connecticut, Delaware, New Hampshire, and Wyoming, among others. In those states (and others), only the data owner is statutorily required to investigate. To the extent that vendors have been obligated to investigate, that obligation falls under other provisions of breach notice laws, namely requirements for the vendor to “cooperate” with the data owner. Or, in some cases, companies may have contractually required their vendors to conduct investigations in the event of a breach or potential breach.
PUTTING IT INTO PRACTICE: Data owners may welcome this investigation requirement now being placed on data “maintainers.” For companies that maintain data on behalf of others, they should keep this duty to investigate requirement in mind, in addition to existing “cooperation” obligations.
   Eye on Privacy 2019 Year in Review 22