Implications of New York’s SHIELD Act on Biometric Privacy
At the end of March 2020, the final portions of New York’s Stop Hacks and Improve Electronic Data Security Handling Act (“SHIELD Act”) went into effect. The SHIELD Act imposes a new mandatory data security regime over a wide range of companies with ties to New York, while also expanding the scope of the state’s data breach notification law.
Significantly, the law directly implicates any entity that collects or uses biometric data of New York residents, even if that business does not maintain any operations within the state. In addition, the SHIELD Act also exemplifies the increased willingness of state legislatures to look for additional ways outside the context of targeted, focused biometric privacy statutes to increase regulatory requirements and restrictions over the use of biometric data—further underscoring the importance of ensuring entities’ biometric privacy compliance programs keep pace with the fast-changing legal landscape.
The first key aspect of the SHIELD Act is its expansive scope. The Act encompasses a broad range of personal information, including biometric data. The law also extends to all businesses that collect or use the personal data of New York residents—regardless of whether those entities actually conduct business in the state.
Taken together, the SHIELD Act significantly impacts companies not just in New York—but throughout the country—that utilize the biometric data of New Yorkers.
The second key aspect of the SHIELD Act—and probably its most noteworthy—is that it imposes new data security requirements on all companies that collect or use the biometric data of at least one New York resident. Under the law, covered entities must “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but not limited to, disposal of data.” The law does not mandate specific safeguards but offers several examples of security measures that are deemed to be reasonable safeguards.
This facet of the SHIELD Act represents a growing trend among state-level legislators enacting laws geared toward requiring companies handling sensitive biometric data to tighten/strengthen their data security practices. New York is the fifth state to adopt a reasonable security requirement—and only the second to do so outside the context of a targeted biometric privacy statute.
Given an increased awareness of the prevalence of data breaches, and a growing interest in ensuring biometric data is protected, data security requirements like those found in the SHIELD Act covering fingerprints, facial geometry, and other forms of biometric data are likely to be enacted in other states. In particular, the passage of these new targeted data security requirements imposing mandated reasonable security measures over biometric data by both California—via the California Consumer Privacy Act of 2018 (“CCPA”)—and New York may accelerate the pace at which those remaining states that have yet to implement focused data security laws that cover biometrics to enact similar laws of this nature.
Due to this growing trend, it is imperative companies develop comprehensive data security programs that integrate robust security safeguards into all facets of their businesses. In particular, to comply with the SHIELD Act’s security requirements, companies should consider implementing the following practices:
- Designate one or more employees to manage and oversee the company’s biometric data security program.
- Perform periodic risk assessments and penetration testing to identify the primary risks and vulnerabilities to the personal data that is possessed by the company and implement any necessary modifications to the organization’s information security program so as to minimize these risks of these vulnerabilities being exploited by malicious hackers.
- Complete mandatory cybersecurity awareness training for all employees.
- Ensure proper due diligence and vetting of all service providers that handle company data, as well as the inclusion of necessary contractual language in all service provider agreements to ensure biometric data is adequately protected.
- Maintain stringent password protection policies.
- Ensure all company data is encrypted, both while at rest and in transit.
- Utilize a strong firewall and antivirus protection.
- Implement network security monitoring tools to identify and detect unauthorized data access, attempted cyber-attacks, and other malicious behavior.
- Implement appropriate data retention and destruction policies.
Data breach notification
Finally, the SHIELD Act also broadens the scope of the state’s existing breach notification law.
Under the SHIELD Act, a business must disclose any data breach to all residents of New York whose private information was, or is reasonably believed to have been, acquired or even accessed by a person without authorization. Notice must also be given to the New York Attorney General, Department of State, and State Police, along with a template of the notice that was sent to impacted individuals. Where a breach impacts more than 5,000 New York residents, the breach victim must also provide notice to consumer reporting agencies.
This aspect of the SHIELD Act exemplifies one of the primary ways lawmakers have sought to increase regulation over biometric data—by expanding the scope of privacy laws to include biometric data and the circumstances under which breach notice obligations are triggered. While states have been amending their breach notice laws to include biometric data for some time, the pace at which these amendments are being executed has increased significantly, with California, the District of Columbia, Maine, and Vermont all having done so within the past year. Moving forward, it is likely many other states will amend their breach notice statutes to impose similar requirements over biometric data, leading to significantly enhanced compliance obligations.
To guard against the increased exposure stemming from these new breach notification obligations, companies using biometric data should conduct a data mapping and inventory exercise to understand the biometric data they collect, use, and store, which—in turn—can help develop effective defensive mechanisms to safeguard this sensitive data. Companies should also review their breach incident response plans and make any necessary changes to ensure they satisfy the SHIELD Act’s breach notice requirements.
The power to enforce the SHIELD Act rests exclusively with the New York attorney general. Businesses found to have violated the SHIELD Act’s breach notice provisions can be held liable for actual damages incurred by individuals entitled to receive notice if notification is not provided in accordance with the law.
In addition, businesses found to have committed knowing or reckless violations may be assessed penalties the greater of $5,000 or up to $20 per instance of failed notification, provided the latter does not exceed $250,000. Businesses that are found to have violated the law’s reasonable security requirement can be held liable for civil penalties of up to $5,000 per violation.
Even in the absence of a private right of action, class action litigation risk remains
Despite the lack of statutory private right of action, the SHIELD Act nevertheless poses a real risk of civil class action litigation for noncompliance. The recently-enacted California Consumer Privacy Act of 2018 (“CCPA”) provide a good example of this theory in practice.
While the CCPA provides only a limited private right of action applicable to a very narrow set of data breach incidents, plaintiffs and their attorneys have wasted no time filing a wave of class action lawsuits for purported CCPA violations that have no relation to any type of security incident. Many such suits have not asserted causes of action directly under the CCPA; instead, they used the CCPA as a predicate for causes of action pursued under California’s plaintiff-friendly Unfair Competition Law (“UCL”). The California UCL, in turn, bars companies from engaging in business practices that are “unlawful, unfair, or fraudulent” and allows plaintiffs to “borrow” purported violations of other statutes—such as the CCPA—for use in asserting “unlawful” practices claims under the UCL.
A similar concern also exists with respect to the SHIELD Act. Just like how California litigants have sought to use the CCPA as a basis to pursue causes of action under California’s UCL, it is likely litigants in New York will try their hand in using the SHIELD Act as a predicate to pursue causes of action under New York’s consumer protection laws. This is especially likely given that the SHIELD Act explicitly states violations of certain portions of the law are “deemed” to violate New York’s deceptive trade practices law—which includes its own private right of action provision.
While attempts to expand the scope of liability under the SHIELD Act may ultimately fail, those businesses targeted with class action lawsuits will incur significant litigation costs in defending this litigation, further raising the importance of strict compliance with New York’s new data breach/data protection mandates.
The SHIELD Act is just one of many new privacy and security laws enacted around the country geared toward increasing regulation over biometrics practices and enhancing the privacy/security of such biometric data. The SHIELD Act represents a growing trend by lawmakers to impose more robust regulation over the use and collection of biometric data—further underscoring the importance companies must place on ensuring their biometrics practices keep pace with the fast-changing landscape of biometric privacy law.
While lawmakers’ efforts to date have been primarily focused on putting in place targeted biometric privacy statutes modeled after the well-known Illinois Biometric Information Privacy Act (“BIPA”), the SHIELD Act demonstrates how legislators will also turn to other ways to impose requirements and restrictions over biometrics in the coming months and years. And while New York is one of the first states to directly impose data security requirements over biometric data, it will certainly not be the last.
Taken together, regardless of location, companies using biometric data for commercial purposes should take proactive steps to review and assess their current data breach notice practices and incident response plans, as well as their current data security programs. This also includes the need to update such plans and policies to comply with frameworks set forth by the SHIELD Act, which will become increasingly more common as other states implement the same or substantially similar requirements in the immediate future.
“Implications of New York’s SHIELD Act on Biometric Privacy,” by Jennifer J. Daniels, Jeffrey N. Rosenthal, and David J. Oberly was published in Biometric Update on October 29, 2020.