Over the past several years, legislators from coast to coast have increasingly made data privacy and cybersecurity top priorities. The result has been a spike in the number and stringency of laws that impose proactive and reactive responsibilities - for instance, data security and breach notifications - on companies that collect personal information, whether from their customers, their employees, end users, or others. That legislative trend has recently expanded previous obligations of companies conducting business in New York State.
On October 23, 2019, perhaps the most impactful part of New York's groundbreaking Stop Hacks and Improve Electronic Data Security (SHIELD) Act takes effect, bringing with it numerous increased - and potentially onerous - privacy-related requirements for businesses and employers throughout the Empire State. Signed into law in July 2019, the SHIELD Act substantially expands the scope and applicability of New York's existing data breach and security laws. In the simplest terms, the SHIELD Act, as detailed in our prior blog post, broadens how the terms "data breach" and "private information" are defined under state law, to ensure that previously-excluded categories of information are now captured, to establish security requirements to safeguard that information, and to augment previous notification obligations in the event that information is breached. As a result, all businesses across the country that do business in New York may be subject to the law's new requirements.
One particularly important aspect of the SHIELD Act is its enhanced breach notification requirements. Under New York's previous breach notification law, the definition of "private information" subject to the law was fairly narrow and in line with other states' breach notification laws. Specifically, New York's data breach notification law previously required notification of a breach involving "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person," in combination with data such as social security numbers or driver's license/identification card numbers. Now, under the SHIELD Act and in addition to the previous categories, companies that suffer a breach of New York residents':
- financial account numbers that can be used to access an account without additional identifying information,
- biometric information (e.g., fingerprint, voiceprint, retina, or iris image), or
- user names or email addresses, in combination with passwords or security question answers that would allow access to online accounts,
must disclose such breach to the New York state attorney general; if a company determines that more than 500 New York residents' private information was involved in the breach, then the notification must be made within 10 days of the company's determination. This is just one of the many ways in which the SHIELD Act broadens the types of information and entities covered by New York's data breach laws (in addition to the imposition of additional data security requirements under the SHIELD Act that become effective on March 21, 2020).
Biometric Data Under the Expanded Breach Notification Obligations of the SHIELD Act
As part of the expansion of privacy and security laws nationwide, many states have demonstrated increased attention on companies that handle biometric data (e.g., fingerprint, voiceprint, retina, facial, hand, or eye imaging). This growing trend in biometric legislation has resulted in laws that place proactive notice and consent obligations on biometric data collectors (like the inclusion of "biometric information" as part of the definition of "personal information" under the California Consumer Privacy Act), and some that include a private right of action, (like Illinois' Biometric Information Privacy Act (BIPA)). BIPA has resulted in numerous class actions against companies that gather biometric data from consumers or employees.
The legislative trend toward expansive obligations has also resulted in states augmenting reactive requirements that companies face as a result of a data breach (for example, by expanding the types of personal information covered by their data breach notification laws). New York's SHIELD Act, and California's newly passed A.B. 1130 (signed into law on October 11), are prominent examples of this notable expansion of data breach laws to now include biometric information. Unlike Illinois' BIPA, which has proactive notice and consent obligations as well as a private right of action for violations, many of these laws, including the SHIELD Act, focus on post-breach notification and do not confer a private right of action (but empower the state attorney general to enforce the law). In any case, both kinds of laws are indicative of continued focus on data gathering, sharing, and retention practices implemented by companies for their customers and employees that is only likely to increase.
The inclusion of biometric data in the definition of private information likely sweeps a large number of previously inapplicable practices into the scope of the law and will change how companies approach these practices. For example, companies that use fingerprinting for employee time-management or hand geometry for security-access controls will need to develop a formal understanding of how they collect and use such data and what to do in the event it is "breached," a term for which the SHIELD Act also provides an expanded definition to include not only unauthorized acquisition but also unauthorized access. The combinative risk of enforcement of these security and notification obligations in states like New York under the SHIELD Act should encourage consumer-facing businesses and employers alike to carefully review, update, and implement comprehensive security measures, access controls, data breach response plans, and policies and procedures that adequately cover whether and how biometric data is collected, accessed, shared, and stored in order to keep pace.
The SHIELD Act's Implications on Labor and Employment Practices
The SHIELD Act applies not only to consumer information but also to employee information. And because the SHIELD Act applies to any business that maintains the private information of New York applicants or employees and has at least one employee in New York State - regardless of size or whether the company is headquartered in New York - the SHIELD Act's ramifications for Empire State employers are far-reaching.
As noted above, the SHIELD Act expands the definition of private information to include additional information routinely kept by employers, such as financial account numbers, email addresses, log-in credentials (such as a user name and password), and biometric information. In practical terms, this means that companies need to be acutely aware of what information they collect from employees, how it is safeguarded, and how long it is kept (including contractually via third-party vendors), and have concrete response plans in place in the event it is breached. The SHIELD Act also imposes additional data breach reporting requirements on "covered entities" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Now, complying with HIPAA data breach disclosure requirements will not exempt a company from notifying the New York state attorney general in addition to federal authorities.
Many common practices of human resources and employee relations departments - including the maintenance of personnel records, leave and benefits documentation, background and credit history checks, direct deposit and expense reimbursements, and use of biometric time clocks and security-access controls - now fall within the expansive purview of the SHIELD Act. As of October 23, 2019, therefore, New York State employers must safeguard the broadened range of private applicant and employee information contained in their employment records, and will soon be required to maintain heightened data security standards relative to such information.
To ensure compliance with the SHIELD Act, New York-based employers - and employers throughout the country who have even a single New York-based applicant or employee - should immediately take the following actions:
- Evaluate what "private information" is collected and maintained (including but not limited to applications, background check authorizations, onboarding materials, leave and benefits documents, time clock and security access data, direct deposit forms, and expense reimbursements).
- Evaluate the business's need to collect and maintain this information and consider avoiding any unnecessary collection or use.
- Review and update data security and breach policies and procedures relative to applicant or employee information.
- Review and update applicant and employee record retention and destruction policies, including those related to online job portals and application submission platforms.
- Train employees - in particular Human Resources personnel and supervisors - on the law and on any policies and procedures implemented in response.
- Ensure that vendors (including third-party background check companies and insurance, leave, and benefits providers) are in compliance with the SHIELD Act and, if necessary, amend vendor contracts to require such compliance.
While there is no private right of action under the SHIELD Act, the state attorney general may bring an action and obtain civil penalties against violating employers. Noncompliant employers could face exposure in-part because applicant and employee records are often reviewed in investigations by the New York State Department of Labor and Division of Human Rights and are generally discoverable in employment litigation.
Comment and Practical Implications
Now that the expanded breach notification obligations are in effect (and security obligations are forthcoming) under the SHIELD Act, in order to mitigate the risk of enforcement springing from the proliferation of these types of laws, and to ensure adequate preparation in the event of a breach, organizations that have or anticipate having employees or consumers who are New York residents should be proactive in assessing their compliance. Such efforts should include: (1) determining whether existing measures (like information security programs under the Gramm-Leach-Bliley Act, the HIPAA Security Rule, or the New York State Department of Financial Services Cybersecurity Requirements) can help bring them into compliance with the SHIELD Act's security requirements; and (2) evaluating written policies and procedures regarding the collection, use, storage, retention, and deletion of personal information to determine whether or how it covers expanded definitions of personal information (including biometric information) and how the organization can ensure its programs and response plans meet the SHIELD Act's data breach notification obligations. The time and resources allocated to refreshing policies and procedures could be far less costly than enforcement or litigation.
Client Alert 2019-252