If you waited until the last minute to develop a data privacy program, well now it is required in New York. Signed into law on July 26, 2019 by Governor Cuomo, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires businesses to implement safeguards for the “private information” of New York residents and broaden New York's security breach notification requirements.
Background on the Act
The SHIELD Act (1) expands some of the definitional terms under New York General Business Law 899-aa (New York’s data breach reporting statute), and (2) imposes a reasonable security requirement on certain businesses that handle New York resident’s “private information” as defined in the SHIELD Act. In addition, the SHIELD Act expands certain reporting items to all businesses that hold private information of a New York resident, regardless of whether the organization does business in New York. You can learn more about the SHIELD Act here.
Compliance Milestone 1 (PAST): October 23, 2019
By October 23rd, companies were required to make certain updates to their internal policies and practices to reflect the expansion of the definition of private information under the SHIELD Act. Also, the definition of breach was expanded by the law to include “access to or acquisition of” private information, which required internal updates. In addition, there are new breach reporting requirements and steps, including that credit monitoring be provided if there is a breach.
Compliance Milestone 2 (UPCOMING): March 21, 2020
Fast approaching, the next compliance step requires businesses to have “reasonable safeguards in place” to protect private information by March 21, 2020. More specifically, the SHIELD Act requires that New York entities handling New York resident private information shall have certain “reasonable security” measures in place to protect the “security, confidentiality and integrity” of such private information. This includes the disposal of such information.
Organizations will need to implement a robust data security program that addresses administrative, technical and physical safeguards. For administrative safeguards, some items to demonstrate compliance would be a security program leader, risk assessments, training, requiring by contract third-party providers and vendors to have certain practices in place, and adjusting its program as the business and data situation changes. Technical safeguards include, policies to assess network and software design risks, data processing risks, incident detection and response, and regular testing and monitoring of key controls and systems. As for physical safeguards, the business must document how it assesses storage and disposal, intrusion response, and prevention of authorized access to private information. Specifically, record retention and disposal is a key component where the law details that storage of private information should only be kept within a reasonable amount of time and where there is no longer any business purpose (including any legal record keeping requirement like a litigation hold), it should be deleted.
It is important to be aware that there are certain exceptions under the SHIELD Act, namely, if a business has fewer than 50 employees or less than $3 million in revenue. In those situations, your data security safeguards need only be appropriate to your business style and size, nature and scope of activities, and the sensitivity of data. Additionally, businesses large or small that are in compliance with certain federal laws requiring information security measures such as HIPAA, are deemed compliant with the SHIELD Act.
There remains no private right of action, and enforcement still rests with the Attorney General.Under the SHIELD Act penalties have increased (now $20 per notification violation with the maximum penalty set at $250,000).
Businesses should start at the beginning to determine what laws actually apply, and where they may conflict with other legal obligations and address those items to put the organization in a legally defensible position. As can be seen, policies, procedures, third-party vendor management programs, incident response plans, and record retention policies are critical components of a business's overall data security program.
At Octillo, we are available to answer any questions you have about the SHIELD Act, California’s Consumer Protection Act (CCPA), the European Union’s General Data Protection Regulation (GDPR) or any other privacy or data security statute that may impact your business. We can walk you through the legal obligations and help you proactively implement a compliance program that best suits your needs. We are proud to be the only firm in 2019 named for its “Technology Transactions” practice in Upstate New York Super Lawyers and routinely cited by Law.com for our insights in this fast-moving area, along with several other awards and recognition in tech and law.
Attorney Advertising: Prior results do not guarantee a similar outcome.