NY SHIELD Act and the Bevy of State Privacy Legislation to Come: Are You Prepared?
by Mark Paulding and Tatyana Ruderman
While privacy professionals are laser focused on California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which we write about here, in 2020 other states have added more rules to the already-complicated patchwork of US privacy laws.
With eyes on the West Coast, one change in the East Coast that may have fallen by the wayside is the enactment of the NY SHIELD (“Stop Hacks and Improve Electronic Data Security”) Act, which modified New York’s data breach notification laws and requires businesses to implement reasonable security measures to protect personal information collected from NY residents, including consumers and employees. The NY SHIELD Act became effective on March 21, 2020.
Take note of some important provisions:
The SHIELD Act explains the jurisdictional scope, now covering any person or business that owns or licenses computerized data that includes “Private Information” of a New York resident, whether the person or business otherwise conducts business in New York.
The SHIELD Act’s requirements relate to “Private Information,” which is individually identifiable information, such as name, number or other identifier, coupled with other types of sensitive data like SSN. The new bill now expands the definition of “Privacy Information” to include online account information (including credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password) and biometric information.
The SHIELD Act requires implementation of a data security program and, similar to the Massachusetts Safeguards for Protecting Personal Information, NY now provides specific examples of what constitutes “reasonable” safeguards. Also note that an earlier version of the SHIELD ACT referenced industry-recognized security standards like the NIST Cybersecurity Framework or ISO 27001, but this provision was removed – which indicates that adopting industry standards helps, but does not guarantee compliance with this specific act. That being said, the safeguard examples provided within the SHIELD ACT would be satisfied by implementing ISO 27001 or the NIST Cybersecurity Framework.
“Reasonable administrative safeguards” include:
designating one or more employees to coordinate the security program;
identifying reasonably foreseeable internal and external risks;
assessing the sufficiency of safeguards in place to control the identified risks;
training and managing employees in the security program practices and procedures;
selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
adjusting the security program in light of business changes or new circumstances.
“Reasonable technical safeguards” include:
assessing risks in network and software design;
assessing risks in information processing, transmission and storage;
detecting, preventing and responding to attacks or system failures; and
regularly testing and monitoring the effectiveness of key controls, systems and procedures.
“Reasonable physical safeguards” include:
assessing risks of information storage and disposal;
detecting, preventing and responding to intrusions;
protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The SHIELD Act exempts certain types of businesses, including entities in compliance with the Gramm Leach-Bliley Act, HIPAA, and/or the New York State Department of Financial Services cybersecurity regulations, and accommodates more flexible standards for reasonable administrative, technical, and physical safeguards for small businesses (fewer than 50 employees and less than $3 million in annual gross revenue or less than $5 million in year-end total assets).
The SHIELD Act vests enforcement with the New York State Attorney General and provides of injunctive relief and civil penalties:
Adds new potential penalty, up to $5,000 in statutory damages for each knowing or reckless violation of the SHIELD Act’s data security standard requirements.
Toughens potential civil penalties for violations of the breach notification requirements, up to twenty dollars per instance of failed notification (capped at $250,000).
Does not provide for private right of action, but a violation of the statute can be deemed a violation of New York’s Deceptive Acts & Practices law (and as in California, we can anticipate that plaintiffs will make creative arguments to attempt to enforce violations through indirect means).
Continue to Watch Pending State and Federal Privacy Legislation
New privacy laws have also been considered around the country, in 30 states and Puerto Rico (and in some cases at the city/local level), and at the federal level. While few have passed, this demonstrates heightened focus on consumer privacy. For example also in New York, there are two pending privacy bills (Right to Know Act and New York Privacy Act) and another proposed privacy bill was just introduced (It's Your Data Act). Also over the past year, consideration of a federal privacy law has escalated, and there are a number of federal proposals currently on the table. U.S. Sen. Jerry Moran, R-Kan., introduced the Consumer Data Privacy and Security Act, Sen. Maria Cantwell’s, D-Wash., introduced the Consumer Online Privacy Rights Act, and Sen. Roger Wicker’s, R-Miss., introduced the Consumer Data Privacy Act.
Key Takeaways:
With many employees working remotely in 2020 and into 2021 and the heightened risk associated with operating almost entirely in the cloud, organizations should re-evaluate their budget allocations for privacy and data security to stay on top of this and other data protection statutes. New York’s SHIELD Act could serve as a helpful benchmark for companies ready to elevate their data security standards.
And, since data breach notification statutes are already old news for many businesses, much of the recent editorial coverage of new privacy laws centers on the rules providing consumers additional transparency and rights over the handling of their personal data. However, new data security rules should not be overlooked, particularly because they are sometimes the only sections that have significant teeth by way of explicitly allowing civil claims (such as in the CCPA, as we discuss here).
If your organization is addressing new privacy legislation in piecemeal, it might be time to consider advocating for a budget to set up an overall privacy and data security compliance program and incorporate privacy-by-design into business processes at the earliest stages of development.
Most importantly, in the current climate, as you work through and implement new rules, remember to build a privacy and data security program that is able to be limber and responsive to changes in the US privacy landscape.