**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.
As always, Octillo lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.
There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642). If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.
1. THE SHIELD ACT
Passed by the State's legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.
Specifically, the Act purports to:
- Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;
- Broaden the definition of a data breach to include unauthorized "access” to private information from the current “acquired” standard;
- Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;
- Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
- Create reasonable data security requirements tailored to the size of a business.
STATUS
Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending.
**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.
2. THE NEW YORK PRIVACY ACT (NYS5642)
This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act's jurisdictional scope.
This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.
STATUS
Pending in Senate Consumer Protection Committee.
PREDICTION
This bill is likely to pass the Senate. However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.
Octillo Law PLLC continues to monitor privacy bills and regulations pending in New York State, including:
- Proposed NYS Biometric Privacy Act;
- Department of Financial Services regulations impacting credit reporting agencies;
- New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
- Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.
Have questions? Our team at Octillo is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.
*Attorney Advertising: Prior results do not guarantee a similar outcome.