Complying with Consumer Data Requirements Under New York’s Shield Act
By Kevin E. Timson, Esq., Bellavia Blatt, PC
All independent automotive dealerships that do business with New York residents should be aware of their obligations under New York State’s Shield Act (“Stop Hacks and Improve Electronic Data Security Act”). The act is the latest addition to a growing set of federal and state requirements imposed upon dealerships with regard to how they manage consumer information. The law covers all businesses, regardless or size or location, that collect private information on New York State residents. The act, which was signed into law last August, became effective related to breach notifications in October and becomes effective regarding data security requirements on March 21, 2020.
Notice of Breaches Related to Private Information
Under the Shield Act, dealers must give notices to New York residents when there is a breach in any dealer security systems related to the “private information” of individuals, including customers and employees. “Private information” now includes not only social security numbers, driver’s licenses and credit card numbers but any additional information that may be used together with this data to access an individual’s financial account without additional information. This includes security codes or passwords to permit access to such person’s financial account, biometric information to authenticate a person’s identity and user names and passwords to access an online account.
The Shield Act defines a security system breach as the acquisition of, or access to, private information by a person without valid authorization. Factors indicating unauthorized access include evidence demonstrating that the information was viewed, used or altered by unauthorized parties. This might be demonstrated by the opening of fraudulent accounts using this information or reports of identity theft. Regarding unauthorized acquisition of private information, dealerships should look for whether the information has been downloaded or copied or whether it is in the physical possession and control of an unauthorized person (i.e., if a computer or other device containing private information was lost or stolen).
A dealership must notify impacted New York residents of any data breach upon the dealership’s discovery of the breach. Such notification must occur if the breach is reasonably believed to have occurred and “shall be made in the most expedient time possible and without unreasonable delay.” Notifications do not need to be made if “persons authorized to access private information” made an inadvertent disclosure or if it is reasonably determined that such exposure will not likely result in misuse of such private information or cause financial or emotional harm to impacted individuals. Please note, however, that New York State has not provided more specific guidance on these exceptions, so dealerships should exercise caution when determining whether such exceptions apply to a given breach.
Notices can be made to impacted individuals by mail. They can also be made by phone or email if individuals have provided prior consent to communicate in either manner. Should a dealership not have an individual’s contact information, the act allows the dealership to issue public notices of data breaches on their website. Notice can also be provided in any manner authorized under the Federal Safeguard Rule. Last, notices regarding any breach must also be sent to the New York State Attorney General, Department of State and State Police.
Data Security Requirements
As a new requirement under the Shield Act, dealerships must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” Dealerships can comply with this new requirement by implementing a data security program that includes:
– Administrative Safeguards: Employee training on security risks and procedures, dedicated security program coordinators, identification of foreseeable internal and external security risks and assessments of whether existing administrative safeguards can sufficiently protect against these risks.
– Network and Software Safeguards: This includes the ability to regularly monitor for threats and test for key network and software controls.
– Physical Safeguards: Dealerships must document how private information is stored and disposed of on a regular basis Dealerships must also identify what physical security measures prevent unauthorized users from accessing private information on dealership computers.
The good news is that many independent automobile dealerships get significant leeway to implement these safeguards because they are considered small businesses under the Shield Act. A small business is defined as one with less than 50 employees, less than $3 million in gross revenue for each of the past three fiscal years or less than $5 million in year-end total assets. Under the “small business” category, the Shield Act does take into account whether the dealership has provided for reasonable safeguards that are appropriate for the size and complexity of the dealership’s business, the nature and scope of its activities and the sensitivity of the personal information it collects from individuals. As the Shield Act provides no further guidance on what might be “appropriate” here for small businesses, it is best to consult your legal counsel and/or IT providers for further guidance.
All independent automobile dealerships need to take their obligations under the Shield Act seriously because failure to comply can result in significant consequences for them. Failure to notify impacted individuals for data breaches can subject a dealership to an action by the state attorney general. If a court find that such violations occurred knowingly or recklessly, the court can impose civil penalties of up to the greater of $5,000 or twenty dollars per instance (not to exceed $250,000). Similarly, the state attorney general can bring claims against dealerships that fail to provide reasonable safeguards to secure private information. Under such violations, the attorney general can obtain civil penalties of up to $5,000 per violation. It is important to note that the Shield Act creates no right of private action for individuals to make against dealerships that violate any provision of the act.
Fortunately, there are vendors who can help dealerships with setting up compliant data security systems and notifying individuals of any suspected data breaches. Contact your IT provider or legal counsel for more assistance. You can also contact our firm for more information at 516-873-3000.
Bellavia Blatt, PC is general counsel to the New York Independent Automobile Dealers Association and an advocate for New York dealers every day on a wide variety of legal matters impacting their dealerships. For the past thirty-three years, the firm has provided legal counsel to dealers on litigation, regulatory compliance, buy-sell transactions, the purchase, sale and leasing of real estate and a host of other commercial and business matters.
Legal Disclaimer: This presentation does not constitute legal advice. You should consult an attorney for any matters discussed herein.