April 3, 2020

April 03, 2020

Subscribe to Latest Legal News and Analysis

April 02, 2020

Subscribe to Latest Legal News and Analysis

April 01, 2020

Subscribe to Latest Legal News and Analysis

March 31, 2020

Subscribe to Latest Legal News and Analysis

New York Strengthens Data Privacy and Security Protections: Employers Must Adopt Safeguards (US)

Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … computerized data which includes private information,” regardless of corporate structure, revenues or location. As such, the SHIELD Act will apply to not only businesses and employers in New York, but may also apply to businesses and employers with no physical presence in New York.

The SHIELD Act imposes more expansive data security and data breach notification requirements on companies by:

  • Broadening the scope of “private information” covered under the notification law to include personal information (such as a social security number or driver’s license number), biometric information and email addresses with their corresponding passwords or security questions and answers;

  • Expanding the definition of “breach” of the security of the system to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information;

  • Expanding the territorial scope of the breach notification requirement to any person or entity with private information of a New York resident, not just to those who conduct business in New York;

  • Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; and.

  • Creating requirements for companies to implement reasonable safeguards to protect the security, confidentiality and integrity of private information.

The SHIELD Act, however, affords certain exceptions. Under the new amendments, a company may be exempt from the breach notification requirements if “exposure of Private Information was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” The amendments further clarify that businesses will be deemed compliant with the SHIELD Act if the business complies with other laws requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies. Such covered entities are not required to notify affected New York residents regarding such breaches under New York’s breach notification law; however, companies must still notify the New York Attorney General, the Department of State Division of Consumer Protection, and the Division of the State Police regarding the breach.

Additionally, the SHIELD Act does not authorize a private right of action or class action litigation. However, the Attorney General is authorized to bring enforcement actions, and violations may result in civil penalties.

The SHIELD Act’s breach notification amendments take effect October 23, 2019, while the new data security requirements will take effect beginning March 21, 2020.

Employers located in New York or that otherwise possess private information of New York residents should review and update their data security programs to comply with these new amendments.

© Copyright 2020 Squire Patton Boggs (US) LLP


About this Author

Lauren Herz Labor & Employment Lawyer Squire Patton Boggs Law Firm

Lauren Herz represents companies in a wide variety of matters that arise out of the employment relationship. She serves clients in a broad range of industries and has significant experience in the fashion and beauty industries.

Ariel Cohen Employment Lawyer

Ariel Cohen assists clients in a broad range of labor and employment matters. She researches and analyzes legal sources for drafting memoranda, pleadings and position statements related to employment law. Ariel also conducts legal research on employment law hot topics and case law and develops training programs that assist employers in maintaining compliance with frequently changing regulations.

While attending law school, Ariel gained experience in risk analysis and compliance, working in the legal division of the Federal Reserve Bank. She externed for Judge Catherine D. Perry at the US District Court for the Eastern District of Missouri and worked as a law clerk at the US Attorney’s Office for the Northern District of Ohio. During her time at Washington University, Ariel served as a Teaching Assistant for the International L.L.M. professional development program. She also acted as managing editor for the Washington University Journal of Law and Policy and earned CALI Excellence for the Future Awards in Legal Writing and Trusts & Estates.

Ariel is a member of the Ohio State and Columbus Bar Associations.