September 22, 2020

Volume X, Number 266

September 21, 2020

Subscribe to Latest Legal News and Analysis

New York Strengthens Data Privacy and Security Protections: Employers Must Adopt Safeguards (US)

Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … computerized data which includes private information,” regardless of corporate structure, revenues or location. As such, the SHIELD Act will apply to not only businesses and employers in New York, but may also apply to businesses and employers with no physical presence in New York.

The SHIELD Act imposes more expansive data security and data breach notification requirements on companies by:

  • Broadening the scope of “private information” covered under the notification law to include personal information (such as a social security number or driver’s license number), biometric information and email addresses with their corresponding passwords or security questions and answers;

  • Expanding the definition of “breach” of the security of the system to include unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information;

  • Expanding the territorial scope of the breach notification requirement to any person or entity with private information of a New York resident, not just to those who conduct business in New York;

  • Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; and.

  • Creating requirements for companies to implement reasonable safeguards to protect the security, confidentiality and integrity of private information.

The SHIELD Act, however, affords certain exceptions. Under the new amendments, a company may be exempt from the breach notification requirements if “exposure of Private Information was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” The amendments further clarify that businesses will be deemed compliant with the SHIELD Act if the business complies with other laws requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies. Such covered entities are not required to notify affected New York residents regarding such breaches under New York’s breach notification law; however, companies must still notify the New York Attorney General, the Department of State Division of Consumer Protection, and the Division of the State Police regarding the breach.

Additionally, the SHIELD Act does not authorize a private right of action or class action litigation. However, the Attorney General is authorized to bring enforcement actions, and violations may result in civil penalties.

The SHIELD Act’s breach notification amendments take effect October 23, 2019, while the new data security requirements will take effect beginning March 21, 2020.

Employers located in New York or that otherwise possess private information of New York residents should review and update their data security programs to comply with these new amendments.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 296

TRENDING LEGAL ANALYSIS


About this Author

Lauren Herz Labor & Employment Attorney Squire Patton Boggs New York, NY
Associate

Lauren Herz represents companies in a wide variety of matters that arise out of the employment relationship. She serves clients in a broad range of industries and has significant experience in the fashion and beauty industries.

Lauren provides pre- and pending litigation support on many different types of employment disputes, including wage and hour litigation, and harassment and discrimination matters. She also assists in the representation of clients in Department of Labor audits of wage and hour practices. She is well versed in advising clients on matters involving employee...

212-872-9820
Ariel S. Cohen Labor & Employment Attorney Squire Patton Boggs Columbus, OH
Associate

Ariel Cohen counsels and represents clients in all aspects of labor and employment law, with a focus on multistate matters and the implications of marijuana legislation in the workplace.

Ariel serves companies of all sizes and helps employers resolve charges of discrimination and other disputes before administrative agencies, as well as provides pre and pending litigation support for a wide variety of employment matters. Ariel also offers e-discovery expertise, including the review of more than a half-million documents.

Ariel is well versed in all aspects of federal, state and local labor and employment laws, including paid sick leave and paid family leave laws, allowing her to provide guidance to employers with employees across the US. She counsels clients by reviewing and drafting employment policies and employee handbooks to ensure compliance with current laws. Ariel further assists clients by staying up to date on hot topics affecting employers in order to develop training programs for employees, managers and human resource professionals in key areas of employment law.

In addition, Ariel has expertise navigating the effects of marijuana in the workplace. She regularly reviews, drafts and advises on company drug policies, including whether companies can consider an applicant’s status as a marijuana user or perform drug testing for marijuana. Ariel likewise counsels clients regarding employers’ obligations to accommodate the use of marijuana. Ariel supports clients by staying current on multistate marijuana regulations for employers and current best practices regarding marijuana use.

Ariel also has broad experience in civil litigation matters, including defending breach of contract claims, as well as claims of property damage and personal injury.

While attending law school, Ariel gained experience in risk analysis and compliance, working in the legal division of the Federal Reserve Bank. She externed for Judge Catherine D. Perry at the US District Court for the Eastern District of Missouri and worked as a law clerk at the US Attorney’s Office for the Northern District of Ohio. During her time at Washington University, Ariel served as the managing editor for the Washington University Journal of Law and Policy.

In the community, Ariel serves on the Young Professionals Council of Nationwide Children’s Hospital.

614-365-2774