New Data Security & Privacy Law Requirements About to Go Live in New York
New York’s SHIELD Act – Data Security Requirements
While New York’s Stop Hacks and Improve Electronic Data Security (“SHIELD Act”) was officially signed into law as of July 25, 2019, and certain notification requirements went into effect October 23, 2019, additional data security requirements are set to take effect on March 21, 2020.
The SHIELD Act includes the requirement that, “Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
Compliance With Data Security Requirements of the SHIELD Act
Even though the Act does not enumerate specific safeguards companies should implement, it does state that companies will be in compliance if it either: (i) is a Compliant Regulated Entity; or (ii) implements a data security program that includes specific requirements.
The Act defines a Compliant Regulated Entity as:
[A]ny person or business that is subject to, and in compliance with, any of the following data security requirements:
(i) regulations promulgated pursuant to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to time;
(ii) regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended from time to time, and the Health Information Technology for Economic and Clinical Health Act, as amended from time to time;
(iii) part five hundred of title twenty-three of the official compilation of codes, rules and regulations of the state of New York, as amended from time to time; or
(iv) any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission or agency or by the federal or New York state courts[i].
Implementation of a Data Security Program
With respect the implementation of a Data Security Program, the Act notes that such a program should include:
(A) reasonable administrative safeguards such as the following, in which the person or business:
(1) designates one or more employees to coordinate the security program;
(2) identifies reasonably foreseeable internal and external risks;
(3) assesses the sufficiency of safeguards in place to control the identified risks;
(4) trains and manages employees in the security program practices and procedures;
(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(6) adjusts the security program in light of business changes or new circumstances; and
(B) reasonable technical safeguards such as the following, in which the person or business:
(1) assesses risks in network and software design;
(2) assesses risks in information processing, transmission and storage;
(3) detects, prevents and responds to attacks or system failures; and
(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) reasonable physical safeguards such as the following, in which the person or business:
(1) assesses risks of information storage and disposal;
(2) detects, prevents and responds to intrusions;
(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Small Business Requirements
Companies should note that, under the SHIELD Act, small businesses have a lowered data security requirement. The Act defines small businesses as persons or businesses with: (i) fewer than 50 employees; (ii) less than $3 million in gross annual revenues in the last 3 fiscal years; or (iii) less than $5 million in year-end total assets, calculated in accordance with GAAP.
The SHIELD Act notes that a small business is in compliance with its data security requirements if the small business’s security program, “[C]ontains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
No Private Right of Action
While it is important to note that the SHIELD Act does not create a private right of action, it does provide that failures to comply with shall be deemed a violation of GBL § 349, which pertains to deceptive acts and practices. Violations of GBL §349 are handled by the attorney general, who may bring an action to enjoin such violations and result damages being owned by violators. Given the SHIELD Act has increased penalties for violations, it is important for companies to ensure they are in compliance with the updated requirements.
With the enhanced data security requirements of the SHIELD Act going into effect as of March 21, 2020, it is important for entities in possession of information pertaining to residents of New York to review and update their data security and compliance programs. Even for entities that have ensured compliance with other privacy and data security laws, such as CCPA, HIPPA, HITECH and GDPR, it is important to make sure that those policies and implementations check all the boxes of the SHIELD Act as well. Most notably, the provisions of the Act related to notifications that need to be sent in relation to breaches may differ from an entities current procedures, and should be addressed to ensure compliance. Review of these policies and implementations should likely be verified by counsel as well to ensure compliance.
[i] GBL § 899-BB