New York, Nevada, Washington and Oregon Enact Privacy Laws and Expand Data Breach Notification Requirements, Which May Apply Even to Businesses Located in Other States

Various states have enacted or expanded privacy laws in the past few months. This is unsurprising, given the general trend towards increased consumer protection following Europe’s General Data Protection Regulation, and in the United States, passage of the similarly broad California Consumer Privacy Act. This alert highlights some of the most significant provisions of these laws, which even impact entities that are located outside of the state that has promulgated a particular law.

New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

On July 25, 2019, Governor Andrew Cuomo signed into law the SHIELD Act, L. 2019, Ch. 117, which takes effect on March 21, 2020. The SHIELD Act amends the General Business Law to expand data breach notification requirements, strengthens Attorney General oversight, and imposes a requirement that businesses and individuals who own or license New York State residents’ private data employ “reasonable safeguards” to protect private information. The law expands data protection and data breach notification requirements to businesses and individuals located outside of the State.

Expansion of the Definition of “Private Information”

Private information was previously defined to mean personal information (i.e., any information that can be used to identify a natural person) plus one or more of the following: Social Security number, driver’s license or non-driver identification card number, account number, credit or debit card number along with any required security or access code (or other information that could permit access). The amendment expands this definition to include an account, debit card or credit card number alone if no additional information is required to access the account; biometric information (such as fingerprint, voice print or other digital representation of unique physical traits); and user name or e-mail address along with the relevant security information that would permit access to the e-mail account. The definition continues to exclude publicly available information from government records.

Broadening of the Definition of “Data Breach”

A data breach was previously defined as the unauthorized acquisition of private information. The SHIELD Act broadens the definition to include unauthorized access of data, even if there is no actual acquisition of data. The SHIELD Act further provides guidelines to determine whether information has been or is reasonably believed to have been wrongfully accessed. This includes considering indications that information was viewed, communicated with, used or altered by an unauthorized person.

Modification of Breach Notification Requirements

The SHIELD Act deletes the portion of the General Business Law that imposed breach notification obligations only on persons or businesses that conduct business in the State. Accordingly, any person or business that owns or licenses computerized data consisting of the private information of New York State residents is subject to the breach notification requirements, regardless of whether that person or business conducts business within the State.

The SHIELD Act, however, obviates notification obligations to individuals if the business determines and documents (such documentation must be kept for five years) that an inadvertent exposure was made by individuals authorized to access the information and is unlikely to result in misuse or harm. Notice to the Attorney General of such a determination is required if the exposure affects over 500 New York State residents.

Additionally, businesses are relieved of notification obligations to individuals under the General Business Law if such notification already occurred pursuant to certain other enumerated statutes, including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act. Notice, however, must still be served on the Attorney General. The Attorney General must also be provided such notice when an entity is required to provide individual notification of a breach that does not involve defined private information.

Individual notices are now also required to include information regarding state and federal agencies that provide breach response information and identity theft protection. Also, a copy of the template notice must be provided to the Attorney General, the Department of State and the Division of State Police.

Extension of Statute of Limitations and Increased Civil Penalty for Breach Notification Violations

Instead of two years, the Attorney General now has three years from the date of notice or when she/he becomes aware of a data breach notification violation to prosecute the violation, up to six years. In no event is the Attorney General permitted to bring such prosecutions beyond six years from the date of an entity’s discovery of the breach, unless the entity made efforts to conceal the breach.

Civil penalties for knowingly or recklessly failing to comply with breach notification obligations are increased from $10 to $20, capped at $250,000 (formerly $150,000) or $5,000 per violation, whichever is higher.

New Requirement of “Reasonable Safeguards”

The SHIELD Act further amends the General Business Law to require implementation of “reasonable safeguards” to protect the security and integrity of private information. An entity may comply with this requirement if it is compliant with other enumerated regulations. Accordingly, businesses that are required to comply with HIPAA, the New York State Department of Financial Services Regulations, and other State or federal data protection regulations would likely be found in compliance of the SHIELD Act requirements if they can prove compliance with other applicable regulation(s). Otherwise, businesses can comply by implementing a data security program that includes reasonable administrative, technical and physical safeguards. The SHIELD Act lists examples of such safeguards.

Small businesses (defined as businesses with fewer than 50 employees, less than $3 million in gross annual revenue over the preceding three years or less than $5 million in year-end total assets) are also required to comply with the “reasonable safeguards” requirement, but such safeguards may be proportionate to the size and complexity of the business, the nature and scope of its business activities, and the sensitivity of the information at issue.

The Attorney General is empowered to seek an injunction and impose civil penalties in the amount of $5,000 for each violation.

The SHIELD Act creates no private cause of action for violation of the breach notification or “reasonable safeguards” requirement.

New York’s Identity Theft Prevention and Mitigation Services Act

Also on July 25, 2019, Governor Cuomo signed the Identity Theft Prevention and Mitigation Services Act, L. 2019, Ch. 115, which took effect on September 23, 2019, and amends the General Business Law. Pursuant to the amendment, consumer credit reporting agencies are required to offer “reasonable identity theft prevention services and, if applicable, identity theft mitigation services” for no more than five years at no cost to consumers if such consumers’ information, including Social Security numbers, was breached or reasonably believed to have been breached. Consumers must be provided with all information necessary to enroll in such service and to request a security freeze. A credit reporting agency is only relieved of this obligation if, after an investigation, it determines that the breach is unlikely to result in harm.

Nevada’s Act Relating to Internet Privacy

In May of this year, Nevada passed a privacy law that will take effect on October 1, 2019. 2019 Nev. L. Ch. 211. It amends an existing Nevada law (Nev. Rev. Stat. 603A.340) that imposes requirements over certain online data collectors to require a mechanism by which consumers can opt out of the sale of their personal information and excludes from compliance certain entities that are already subject to other privacy regulations. The existing law defines an operator as a person who (1) owns or operates a commercial website or online service, or collects and maintains personal information from Nevada residents who use or visit the website or online service, and (2) purposefully directs its business activities toward Nevada, consummates a commercial transaction with a resident or avails itself of the privilege of conducting business in Nevada. This definition has been amended to extend to any person who “otherwise engages in any activity that constitutes sufficient nexus with th[e] State to satisfy the requirements of the U.S. Constitution.” In addition to the previously excluded third-party service providers, who host or manage websites or online services on behalf of owners of such websites and online services, the amendment further excludes entities that are subject to the Gramm-Leach-Bliley Act or HIPAA, as well as motor vehicle manufacturers, or a person who repairs or services a motor vehicle and collects, generates or stores certain covered information if that information is provided by the consumer or obtained from the vehicle, in connection with a subscription or registration for a technology or service related to the vehicle. Covered information continues to be defined as a person’s first name or first initial and last name in combination with one or more of certain enumerated data, including, but not limited to, Social Security number, driver’s license number or account number.

The amendment requires covered online operators to provide a “request address,” such as an e-mail, toll-free number or website, through which consumers may make a data request, such as to opt out of the “sale” of their covered information. A response to the request is required within 60 days, which may be extended by an additional 30 days if “reasonably necessary.” The term “sale” is defined as the exchange of information for monetary consideration. The law identifies circumstances that are specifically excluded from this definition, such as disclosure of personal information as part of a merger, acquisition or bankruptcy. Violations are subject to an action by the Attorney General for an injunction or civil penalty not to exceed $5,000 per violation.

Washington’s Data Breach Notification Law Amendment

Earlier this year, Washington State amended its data breach notification law, Wash. Rev. Code §§ 19.255.010 and 42.56.590, to provide broader protections to Washington consumers and place higher burdens on individuals and businesses who conduct business in the State and own or license data, or maintain or possess data, that they do not own. 2019 Wash. L., Ch. 241. For instance, the definition of “personal information” was expanded while the data breach notification deadline was reduced. The amended law takes effect on March 1, 2020.

Expansion of Definition of “Personal Information”

“Personal information” was previously defined as a person’s name in combination with his/her Social Security number; state identification card number; or financial account, credit or debit card number (along with any required access codes). It is now expanded to include the following when used in conjunction with a consumer’s first and last name: date of birth, authentication information, identification number (student, military or passport), health insurance policy or identification number, physical or mental medical history including diagnosis or treatment, and biometric data (e.g., fingerprint, retina scans, voiceprints). Even if a consumer’s first and last name are not accessed, these data elements would constitute “personal information” if it is sufficient for a person to commit identity theft and the information is not encrypted, redacted or otherwise rendered unusable. The State of Washington also now treats a consumer’s username (or e-mail address) and password (or security questions that permit access to an account) as “personal information,” even if the consumer’s real name is not disclosed.

Shortening of Data Breach Notification Deadline and Expansion of Notification Obligations

Individual data breach notices must be provided to affected consumers within 30 days of discovery (previously 45). Furthermore, if 500 or more Washington State residents are affected, the company must notify the Attorney General and provide a copy of the template notice to individuals, as well as a summary of the steps taken to address the breach.

Data breach notices are also required to contain certain information, including the length of exposure of the data at issue, the date of the breach and the date of discovery of the breach.

Oregon’s Consumer Identity Theft Protection Act

In May of this year, Governor Kate Brown signed into law the Oregon Consumer Identity Theft Act, 2019 Or. L, Ch. 180, which amends the State’s data breach notification law. The law will take effect on January 1, 2020.

The amendment renames the Oregon Consumer Identity Theft Protection Act to the Oregon Consumer Information Protection Act. It requires all entities, including third-party vendors, who discover a breach of security to notify the owners of the private data as soon as possible, but no later than 10 days after discovery. It also requires the companies to notify the Attorney General if the breach included more than 250 consumers’ information or an unknown number of consumers’ information.

“Covered entities” that must comply include individuals or an entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of that person’s business, vocation, occupation or volunteer activities.” “Vendors” are further defined as individuals or entities “with which a covered entity contracts” to maintain, process or access personal information. The Act also expands the definition of “personal information” to include consumers’ passwords, usernames and other authentication information.

A covered entity providing credit monitoring services or identity theft prevention services in connection with a data breach cannot make such services contingent on the provision of a consumer’s credit or debit card information, or a consumer’s agreement to accept any other services for a fee.

Finally, consumer reporting agencies are precluded from charging a fee for honoring a consumer’s request to place, temporarily lift or remove a security freeze on that consumer’s report.

These developments are only the most recent in what is sure to be a continuing nationwide effort to increase data privacy regulations. It is imperative that businesses become familiar with the laws to which they are subject, including those enacted outside of the state in which they are located. Perhaps more importantly, businesses should select legal counsel who can provide guidance regarding those laws as well as effective compliance strategies.

Should you have any questions regarding any state’s data breach notification requirements or any state’s new privacy laws, please contact Anna Mercado Clark at or (212) 508-0466.