NY SHIELD Act Data Security Requirements Effective This Month
Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
Reasonable administrative safeguards, including: designate one or more employees to coordinate the security program; identification of internal and external risks and safeguards to control the risks; train employees on security practices; select service providers capable of maintaining appropriate safeguards (and contractually require said safeguards);
Reasonable technical safeguards, including: assess risks in network and software design; regularly test and monitor effectiveness of controls, systems, and procedures; and
Reasonable physical safeguards, including: assess risks of information storage and disposal; dispose of private information within a reasonable amount of time after it’s no longer needed for a business purpose; erase information so that it cannot be read or reconstructed.
There are some limited exceptions. Organizations otherwise regulated by federal law such as GLBA and HIPAA are exempt. There is also an exception for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets. These “small businesses” may scale their data security program according to their size and complexity, the nature and scope of its business activities, and the nature and sensitivity of the information collected.
Putting it into practice. New York joins other states (including Massachusetts, Nevada and Oregon) to require specific data security protections. Companies who have nationwide security programs in place will want to conduct a gap assessment to verify whether their existing program meets New York’s requirements.