New York's Deadline to Comply With New Data Privacy Law Fast Approaching
Tuesday, March 10, 2020
NYC
Print Mail Download i

The Stop Hacks and Improve Electronic Data Security Act (known as the SHIELD Act), signed into law by Governor Cuomo last year, comes into full effect on March 21, 2020. The Act’s expansive reach requires businesses in New York, as well as those outside the state that maintain New York residents’ private information, to take concrete steps intended to prevent data breaches. A failure to comply with the new data security requirements raises the specter of enforcement actions by the New York State Attorney General, whose powers are significantly expanded under the SHIELD Act. The SHIELD Act brings New York State into the fold with a growing number of states that have recently enacted legislation or strengthened existing laws aimed at protecting consumer data security and privacy, making it imperative for companies to review, assess, and enhance their compliance capabilities.

Signed by Governor Cuomo on July 25, 2019, the SHIELD Act was designed to become effective in two phases. First, effective October 23, 2019, the Act significantly revised § 899-aa of the General Business Law (GBL), including by expanding the definition of “private information” to include account numbers, biometric information, and email addresses (when combined with a password or security question and answer).

Second, the SHIELD Act added a new § 899-bb to the GBL, which sets forth formal data security requirements tailored by business size, as well as an enforcement provision for non-compliance. Due to the nature of the affirmative requirements set forth in new § 899-bb, businesses were given until March 21, 2020 to achieve compliance. By that time, new GBL § 899-bb(2)(a) requires that “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”

The steps necessary to comply with this mandate depend on business size and type. Any business other than a “small business,” as defined in GBL § 899-bb(1) and discussed below, will be deemed “in compliance” if it either (i) is a “compliant regulated entity,” as defined in GBL § 899-bb(1), such as businesses regulated by the federal Gramm-Leach-Bliley Act, certain financial services companies, and entities subject to HIPAA; or (ii) implements a data security program that includes certain “reasonable” administrative, technical, and physical safeguards, as follows:

  • Administrative Safeguards – these include designating one or more employees to coordinate the security program; identifying reasonably foreseeable internal or external risks; assessing the sufficiency of safeguards in place to control identified risks; training and managing employees in security program practices and procedures; selecting service providers capable of maintaining appropriate safeguards (and requiring those safeguards by contract); and adjusting the security program in light of business or new circumstances. GBL § 899-bb(2)(b)(ii)(A).

  • Technical Safeguards – these include assessing risks in network and software design; assessing risks in information processing, transmission, and storage; detecting, preventing, and responding to attacks or system failures; and regularly testing and monitoring the effectiveness of key controls, systems and procedures. GBL § 899-bb(2)(b)(ii)(B).

  • Physical Safeguards – these include assessing risks of information storage and disposal; detecting, preventing, and responding to intrusions; protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. GBL § 899-bb(2)(b)(ii)(C).

Under GBL § 899-bb(2)(c), a “small business”—defined by the Act as a company with less than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets— will be deemed in compliance if its security program contains reasonable administrative, technical, and physical safeguards that are “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

Significantly, GBL § 899-bb not only creates affirmative data security requirements, but provides a powerful enforcement mechanism for noncompliance. Under GBL § 899-bb(2)(d), any person or business that fails to comply with the requirements of GBL § 899-bb(2) shall be deemed to have violated GBL § 349, which makes deceptive acts or practices unlawful. This provision authorizes the Attorney General to bring an action to enjoin violations, and to obtain civil penalties of $5,000 per violation, as set forth in GBL § 350-d (civil penalties). Section 899-bb(2)(e) explicitly states that a breach of the data security requirements does not create any private right of action.

As mentioned above, GBL § 899-bb brings the SHIELD Act into full effectiveness. While the new data security requirements are a key piece of the legislation, the Act’s revisions to GBL § 899-aa have already taken effect. These revisions include an expanded definition of “private information,” an expanded definition of data “breach,” updates to the notification system for discovered breaches, broadened territorial application to any person or business which owns or licenses computerized data that includes private information of a resident of New York (previously, it required such person or business conduct business in New York), and the application of many of these new definitions to state government agencies and entities.

The SHIELD Act brings New York State into the fold along with states such as California, Nevada, Maine, Massachusetts, New Jersey, Maryland, Oregon, Texas, and Washington that have recently enacted legislation aimed at protecting consumer data security and privacy.

With March 21 quickly approaching, companies both in New York and those maintaining New Yorkers’ “private information” should review, assess, and enhance their compliance with the SHIELD Act, as noncompliance may prove costly.

© 2024 Bracewell LLP

Current Legal Analysis

More from Bracewell LLP

Beyond Whistleblowing: Additional Highlights from the Department of Justice at the 2024 ABA White Collar Conference
by: Seth D. DuCharme , Mark Hunting
Increasing Antitrust and Potentially Other Scrutiny for Defense M&A Deals
by: Robert J. Wagman, Jr. , Patrick K. Johnson
The SEC’s Final Rules on Climate-Related Disclosures: A Guide for In-House Counsel
by: Charles H. Still Jr. , Troy L. Harder
FINRA Facts and Trends: March 2024
by: Joshua Klein , Keith Blackman
Protecting Energy Investments in Europe: UK Announces Withdrawal from the Energy Charter Treaty
by: Darren Spalding , Robert Meade
PFAS Regulatory Developments: Cleanup, Disposal, Testing and Reporting Issues [Video]
by: Timothy A. Wilkins , Steven Cook
Round Three: EPA’s Latest Changes to the RMP Program – Initial Insights on Next Steps [Video]
by: Steven Cook , Whit Swift
The Race to Report: DOJ Announces Pilot Whistleblower Program
by: Seth D. DuCharme , Mark Hunting
Edwards Aquifer Blindcats: A Potentially Endangered Species With Amanda Glen and Ann Navaro [Podcast]
by: Daniel J. Pope , Ann D. Navaro
Federal Judge Rules Corporate Transparency Act Is Unconstitutional: Takeaways and Next Steps
by: Benjamin J. Martin , Caroline E. Ellis

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins