Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was amended in 2019 to include reference to biometric information. The SHIELD Act imposes an extensive set of requirements on businesses that own or license the biometric information of New York residents.
Obligations under the SHIELD Act include implementing administrative, technical, and physical measures to safeguard biometric information, and a duty to notify the authorities in the event of a data breach involving biometric information.
This article will help you understand whether your use of biometric information falls under the scope of New York law and, if so, what you need to do to comply.
The SHIELD Act has a very broad scope, and many businesses fall under its jurisdiction, particularly following the 2019 amendments. Here's how the scope of the law changed in 2019:
The law now applies not only to companies based in New York, and not only to companies doing business in New York, but also to any person or business that "owns or licenses computerized data which includes private information" of New York residents.
This means that if your business has customers, employees, clients, or users in New York, and it owns or licenses their biometric information (or any other type of their private information, which we'll define below), the NY Shield Act applies to you.
The SHIELD Act mostly pertains to the protection of "private information," which includes biometric information and several other types of data. But the law is somewhat complicated in how it defines its subject matter, so let's take a closer look.
The SHIELD Act divides private information into two types, which we'll call "type I private information" and "type II private information." The Act also refers to "personal information" and "data elements."
Type I private information is:
One or more data elements (including biometric information, listed below), if:
The combination of the personal information plus the data element is:
Personal information is "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person."
Here are the above-mentioned "data elements":
Type 2 private information is an individual's account login credentials: "a user name or email address in combination with a password or security question and answer that would permit access to an online account."
Accordingly, if you own or license (e.g., collect and transfer to a service provider) the biometric information of New York residents in combination with their personal information, you must comply with the provisions of the SHIELD Act.
Biometric information is data derived from an individual's unique physical characteristics and used for authentication or identification. Common examples include fingerprints, iris prints, or voiceprints. Biometric information is a highly sensitive type of data used in an increasingly wide variety of contexts.
The SHIELD Act defines "biometric information" as "data generated by electronic measurements of an individual's unique physical characteristics."
The Act includes the following examples:
Note that this definition of "biometric information" provides fewer examples of "biometric information" than other notable privacy laws, including:
However, while the SHIELD Act's definition of "biometric information" doesn't include examples such as DNA, handprints, or faceprints, this doesn't mean that these things don't qualify as "biometric information" under the Act.
If you take a cautious approach to privacy compliance, it would be wise to read the SHIELD Act's definition of a "physical representation or digital representation of biometric information" as including faceprints, DNA, and other types of data commonly considered biometric information.
Businesses that own or license the biometric information of New York residents have two broad requirements under the SHIELD Act:
Let's take a look at what each of these requirements involves.
The SHIELD Act requires covered businesses to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity" of biometric information and other private information.
This is known as the Act's "data security program." Your data security program must consist of three main parts:
Administrative safeguards, such as:
Technical safeguards, such as:
Physical safeguards, such as:
For a more detailed look at the SHIELD Act's data security program requirements, see our article NY SHIELD Act: How to Implement a Data Security Program.
The SHIELD Act requires businesses to provide notification of the breach of New York residents' biometric information (or other private information).
The Act defines a "data breach" as when:
The Act states that a data breach may have occurred if there are indications that private information:
A data breach has not occurred if an employee or agent of your business accesses the private information:
You must notify the New York residents affected by the breach "in the most expedient time possible and without undue delay."
Your data breach notification must:
You must also notify the following authorities about the breach:
You must provide these authorities with:
If over 5,000 New York residents were affected by the breach, you must also notify certain consumer reporting agencies specified by the New York Attorney General.
For more information, see our article NY SHIELD Act Data Breach Notices.
Small businesses have reduced obligations under the SHIELD Act. Rather than implementing a full data security program, a small business may implement a reduced data security program that is appropriate, considering:
Your business is a "small business" if it has:
Businesses regulated under other data security laws do not need to implement a data security program at all.
Your business is exempt from the SHIELD Act's data security program requirements if it is compliant with any of the following laws:
Businesses regulated by these laws already have data breach notice obligations, and therefore are exempt from most of the SHIELD Act's data breach notification requirements. Such businesses are still required to notify consumer reporting agencies of a breach affecting over 5,000 New York residents.
As we've seen, the SHIELD Act has a very specific definition of "private information." If you use biometric information securely, you may not be required to give data breach notification if you suffer a security incident.
The various components of private information must be present "in combination with" one another for the SHIELD Act to apply.
The SHIELD impliedly views biometric information as not warranting protection or breach notification unless it can be linked, via personal information, to an individual.
This means that if you own or license biometric information, but you ensure that it is not stored, accessed, or acquired "in combination" with personal information, then the biometric information in itself doesn't constitute private information.
If you suffer a breach of biometric information without the corresponding personal information, this doesn't constitute a reportable breach under the SHIELD Act.
The SHIELD Act's definition of private information does not include non-compromised encrypted or redacted datasets. Unlike other privacy laws, the SHIELD Act's data protection and breach reporting obligations don't apply to encrypted or redacted data.
This means that if you suffer a breach involving biometric information that has been encrypted or a dataset from which biometric information has been redacted, you won't need to report the data breach under the SHIELD Act.
If you're using a service provider to collect or store biometric information, seek assurances that the service provider will protect the biometric information in transit and storage using strong encryption.
Where biometric information appears in documents or lists, ensure it is redacted by removing it or making it unreadable.
This exception does not apply if the encryption key has been accessed or acquired. This takes us onto our next compliance tip.
Biometric information can also be "private information" where it is encrypted, if the associated encryption key has been "accessed or acquired."
The SHIELD Act impliedly views encrypted data as not warranting protection or breach notification so long as the encryption key is not accessible. This is because properly encrypted data is unintelligible without an encryption key.
Therefore, if you suffer a breach of encrypted biometric information, but the associated encryption key remains safe, you don't need to report this breach under the SHIELD Act. Keep encryption keys safe, and keep them separate from encrypted data.
One of our many testimonials:
The SHIELD Act brings extensive new requirements for businesses using biometric data of New York residents.
To ensure you remain compliant in your use of biometric information, ensure that you:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022