Having come into full effect on March 21, 2020, the New York SHIELD (Stop Hacking and Improve Electronic Data Security) Act updates previous data security laws and creates more obligations and potential concerns for companies and their cyber insurers. We asked Laurie Kamaiko of Saul, Ewing, Arnstein, and Lehr law firm about this new legislation and how insurers can adapt to its legal requirements.
What Are the Key Provisions of the Act that Impact Personal Data Liability?
The New York State SHIELD Act is essentially an amendment to the state’s existing breach notification law that strengthens consumer privacy and data protection security.
“The Act broadens the type of private information that, if breached, would require notification,” says Kamaiko. In addition to name, social security number, credit card info, and address, protection has now been extended to the following areas:
- Email addresses
- Online accounts including usernames and passwords
- Online account access codes
- Biometric information such as (fingerprint, voice print, retina or iris image)
The act also extends the definition of a data breach to include unauthorized access. This goes beyond the previous criteria which only covered unauthorized acquisition. Kamaiko provides an example of how this extends the requirements for breach notification:
“For example, snooping malware could be on a system without someone stealing the data—but, if forensics shows that private information was viewed, that’s an event that could trigger the notification obligation,” says Kamiko.
The second major provision that impacts personal data management liability is the expansion of breach notification and security requirements to entities that are not based in New York State but hold the private information of New York State residents. This requires non-New York companies to accommodate their operations for NY SHIELD Act compliance. Given the population of New York and the size of its economy, this means that many more entities across the country are now subject to these obligations.
The size of each enterprise is also taken into consideration under the SHIELD Act.
“I should also point out,” says Kamaiko, “that the Act takes the size of the company into account and smaller entities (under 50 employees, under $3 million in gross annual revenue the past three fiscal years, or under $5 million in year-end total assets ), while not off the hook, will be judged as to whether they have reasonable data security measures in place according to scale.”
What Areas Are of Particular Interest for Cyber Insurers?
Like many recent privacy and cybersecurity laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the SHIELD Act is focused not only on breach response and notification, but also on the administrative and security measures taken in advance to protect data.
“This is a good thing,” says Kamaiko. “It requires companies to better manage risk and reduce the likelihood of incidents.”
For instance, the SHIELD Act addresses safely disposing of private information when it’s no longer needed. The Act also outlines a number of additional data security measures that should be taken including:
- Training employees in security practices.
- Appointing an employee to coordinate the data security program.
- Identifying internal and external risks and implementing reasonable technical safeguards.
- Vetting service providers and having appropriate data share agreements in place.
The requirement to have a data security program in place serves as a stick, pushing entities to adopt best practices. However, these requirements also create more risk of regulatory violation for which companies and their insurers should be aware.
Kamaiko also raised the issue of moral obligation as it relates to cyber insurance.
“An emerging concern for cyber insurers is about whether they are—perhaps without realizing it—insuring companies for their deliberate business practices, and whether that is or should be within the scope of cyber insurance. We need to consider if there are moral hazards when coverage is broad but proper security measures are not in place. Some organizations may not see it as a problem because they have cyber insurance to cover the costs of a regulatory investigation, fines, and other [NY SHIELD Act] penalties.”
The SHIELD Act also reinforces that insurers on other lines of insurance (e.g. EPL, policies covering ERISA liability for errors in handling of records), need to be aware of potential exposure from laws governing the handling of employee information. Another interesting example of this is the Illinois Biometrics Information Privacy Act which governs the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers.
What Can Insurers do to Limit Their Exposure to Business Practice Vulnerabilities?
To continue offering adequate coverage and limit exposures, Kamaiko advises that cyber insurers need to word policies carefully when it comes to covering violations of privacy laws.
“Carriers need to review their policies to see if they are pricing them correctly with regard to the expanded exposures,” says Kamaiko. “They might have a competitive issue there, but it’s also important to keep the pricing in line with the potential liability.”
Kamaiko points out that while the importance of practicing incident response is often directed at policyholders, insurance providers can also benefit from these tabletop exercises. This can include responding to a certain mock scenario under their own policies. As they run through a mock incident response, Kamaiko suggests insurers ask themselves this set of questions:
- Are your policies covering what you intended to cover?
- Are your policies likely to be found to cover obligations or losses you didn’t intend to cover?
- Are you broadly insuring obligations under privacy laws that encompass a policyholder’s business practices you do not want to cover?
- Are your policies appropriately taking into account your policyholders’ concerns about their expansion of liability?
Risk expansion is often discussed by virtue of technology developments, but it’s also important to think about the expansions of liability to insureds and exposures to insurers created by new regulations.
To learn more about this new legislation, read the full NY Shield Act Full-text here.
Manage New Risk Exposures with an Incident Response Plan
Cyber insurance carriers that have policyholders in New York or have New York resident customers in their databases need to be aware of SHIELD Act requirements and how it may impact their exposures.
New York State’s SHIELD Act is part of a growing list of far-reaching state and federal laws designed to protect citizen and customer data privacy. Businesses and insurers must be aware that New York and many other states are now requiring companies to take more security and breach response measures.
Organizations should anticipate that their data will be breached or accidentally leaked at some point. Given the growing scope and number of these regulations, having an actionable data breach crisis plan and reviewing data security procedures before an incident occurs is vital—it also helps demonstrate that your organization is prepared and has taken the precautions required by regulators.
To learn more about bolstering your cybersecurity and consumer privacy compliance, contact NetDiligence today.