Last July, consumer-rights advocates rejoiced when the New York State Assembly passed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act). Following a nationwide trend to strengthen online consumer protections, the SHIELD Act made three major changes to the state’s data breach notification law. These changes directly impact businesses that collect personal information from the state’s residents – even if the company itself is outside the state.

The first two changes were to broaden the statutory definitions of private information and security breach, which went into effect last month. The third change was to impose a reasonable security standard on entities that maintain data of the state’s residents, which is set to go into effect March 2020. This post will briefly address the changes from the state’s old breach notification law and the first two changes as it applies to interactive media companies. A subsequent post will examine the third change. 

What’s so different from the old data breach notification law?

Originally, like most states, the breach notification statute applied only to businesses that operate within the state. Under the SHIELD Act, any company that collects personal information from a New York resident will be subject to the Empire state’s regulatory arm. 

The specific language of the statute is that any company or individual “that owns or licenses computerized data which includes private information of a resident of New York” will be subject to the new breach notification requirements. For companies that have an extensive online presence, this means wading into an expansive web of state-government regulation, and with it increased compliance costs.

SHIELD is especially challenging for companies that derive their primary source of revenue from providing free access to their content in exchange for users’ personal information and sell that data to other companies for advertising and marketing purposes. Those companies may never step foot in the states their users access content from, and yet SHIELD subjects the companies to the state’s breach requirements. 

Does being subject to a breach notification law affect online media companies?

In a field where technology is constantly evolving, online media and gaming companies are ripe targets for cyber criminals eager to plunder users’ personal information for two primary reasons. 

First, some of these companies are in the business of collecting and selling data and constantly finding new ways to gather that information. Second, innovation in collection methods outpaces implemented security measures to protect that data. Hackers take advantage of that flaw, and are constantly finding ways to penetrate existing security protocols. 

Just earlier this year, Zynga was the subject of a massive data breach. Though users’ financial information was not at risk, users’ names, email addresses, logins, phone numbers, and social media sites were illegally accessed. This not only resulted in reputational harms, but actual economic loss for the company. 

So, how does SHIELD’s changes affects these companies?

1. Expanding the elements that trigger notification requirements. 

SHIELD requires companies to notify individuals when their private information is breached. The statute defines private information to be personal information (information concerning a natural person) in combination with any one of the enumerated data elements. 

Traditionally, these elements were SSNs, driver’s license numbers, and more typical financial account numbers. However, SHIELD extends those data elements to include “user name[s] or email address[es] in combination with a password or security question and answer that would permit access to an online account.” In the Zynga example above, this amendment would subject that company to the notice requirements of SHIELD, and with it increased costs of doing business.

Though companies like Zynga may have been subject to N.Y.’s breach notification requirements before SHIELD for other reasons (i.e. operating within the state), smaller start-up companies trying to break into the market may now be subject to a tremendous burden of insuring against a breach, knowing proper compliance measures, and being on the hook for notification costs should such an event occur. 

2. Broadening the statutory definition of a breach

Under SHIELD, a breach is now considered unauthorized acquisition or access. This change greatly widens the zone of notifiable breaches. The former law in New York required notification only if information was actually acquired.

In addition, SHIELD imposes an obligation to investigate. Companies who believe their information has been accessed may not be subject to the breach so long as a certain litany of factors are considered. This requirement still places the company responsible for investigating the unauthorized access; however, it begs the question of how access poses the same dangers to consumers as acquisition of their personal information as to warrant notification. 

Regardless, companies whose primary function is to collect user information are subjected to guarding it, for fear of having to incur the cost of notice anytime such information is impermissibly accessed. 

The third major change—requiring reasonable security procedures—will be discussed in a subsequent post.

Trey Ferguson

Trey is a current law student at Campbell University's School of Law, where he is a teaching scholar for the first-year writing course and a member of the Campbell Law Review. As a former high school math teacher, Trey is a self-admitted math nerd. Follow him on Twitter or connect with him on LinkedIn.