May 22, 2022

Volume XII, Number 142


May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

New York Strengthens Data Privacy and Security Protections: Employers Must Adopt Safeguards (US)

Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … computerized data which includes private information,” regardless of corporate structure, revenues or location. As such, the SHIELD Act will apply to not only businesses and employers in New York, but may also apply to businesses and employers with no physical presence in New York.

The SHIELD Act imposes more expansive data security and data breach notification requirements on companies by:

  • Broadening the scope of “private information” covered under the notification law to include personal information (such as a social security number or driver’s license number), biometric information and email addresses with their corresponding passwords or security questions and answers;

  • Expanding the definition of “breach” of the security of the system to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information;

  • Expanding the territorial scope of the breach notification requirement to any person or entity with private information of a New York resident, not just to those who conduct business in New York;

  • Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; and.

  • Creating requirements for companies to implement reasonable safeguards to protect the security, confidentiality and integrity of private information.

The SHIELD Act, however, affords certain exceptions. Under the new amendments, a company may be exempt from the breach notification requirements if “exposure of Private Information was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” The amendments further clarify that businesses will be deemed compliant with the SHIELD Act if the business complies with other laws requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies. Such covered entities are not required to notify affected New York residents regarding such breaches under New York’s breach notification law; however, companies must still notify the New York Attorney General, the Department of State Division of Consumer Protection, and the Division of the State Police regarding the breach.

Additionally, the SHIELD Act does not authorize a private right of action or class action litigation. However, the Attorney General is authorized to bring enforcement actions, and violations may result in civil penalties.

The SHIELD Act’s breach notification amendments take effect October 23, 2019, while the new data security requirements will take effect beginning March 21, 2020.

Employers located in New York or that otherwise possess private information of New York residents should review and update their data security programs to comply with these new amendments.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 296

About this Author

Lauren Herz Labor & Employment Attorney Squire Patton Boggs New York, NY

Lauren Herz represents companies in a wide variety of matters that arise out of the employment relationship. She serves clients in a broad range of industries and has significant experience in the fashion and beauty industries.

Lauren provides pre- and pending litigation support on many different types of employment disputes, including wage and hour litigation, and harassment and discrimination matters. She also assists in the representation of clients in Department of Labor audits of wage and hour practices. She is well versed in advising clients on matters involving employee...

Ariel S. Cohen Labor & Employment Attorney Squire Patton Boggs Columbus, OH

Ariel Cohen counsels and represents clients in all aspects of labor and employment law, with a focus on multistate matters and the implications of marijuana legislation in the workplace.

Ariel serves companies of all sizes and helps employers resolve charges of discrimination and other disputes before administrative agencies, as well as provides pre and pending litigation support for a wide variety of employment matters. Ariel also offers e-discovery expertise, including the review of more than a half-million documents.

Ariel is well versed in all aspects of federal, state...